Skip to main content

TCPDUMP - A MUST !

 tcpdump is one of the most powerful linux/unix commands that helps us to analyze the network packet mainly for troubleshooting purpose. It mainly captures packets received or transferred over a network on a specific interface . 

tcpdump is mainly used on linux/unix distro and can be easily installed.

INSTALLING TCPDUMP

$ sudo apt-get install tcpdump  [On Debian, Ubuntu and Mint]

$ sudo yum install tcpdump           [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux]

$ sudo emerge -a sys-apps/tcpdump    [On Gentoo Linux]

$ sudo pacman -S tcpdump             [On Arch Linux]

$ sudo zypper install tcpdump        [On OpenSUSE]  

TCPDUMP COMMANDS

1. CAPTURE HOST
   # tcpdump -i < interface name >  host <host ip >
   # tcpdump -i eth0 host 10.1.1.1

2. NO DOMAIN LOOKUP
    # tcpdump -i eth0 -n host 8.8.8.8

3. NO DOMAIN AND PROTOCOL LOOKUP
   # tcpdump -i eth0 -nn host 8.8.8.8

4. CAPTURE SERVICE
    # tcpdump -i eth0 -nn port 443

5. CAPTURE HOST AND SERVICE
   # tcpdump -i eth0 -nn host 118.91.171.10 and port 80

6. CAPTURE HOST AND PROTOCOL
   # tcpdump -i eth0 -nn host 118.91.171.10 and udp 

7. NEGATE FILTER
   # tcpdump -i eth0 -nn host 118.91.171.10 and not icmp -c 5

8. COMPLEX COMBINATION
   # tcpdump -i eth0 -nn "dst 8.8.8.8 or dst 1.1.1.1" and port 443 -c 10

9. CAPTURE MAC ADDRESS
    #tcpdump -i eth0 -nn -e host 8.8.8.8 and icmp -c 100

10. VPN TRAFFIC 
    #tcpdump -i eth0 -nn host 118.91.171.10 and esp -c 50 ( FOR PHASE II )
    #tcpdump -i eth0 -nn host 118.91.171.10 and udp and port 500 -c 100 ( IKE PHASE I )

11. VERBOSE ( PROVIDES HEADER LEVEL INFO )
     #tcpdump -i eth0 -nn -vv host 118.91.171.10 and tcp -c 100

12. SAVE THE CAPTURE FILES
     #tcpdump -i eth0 -nn -vv host 118.91.171.10 and port 80 -c 100 > /var/log/capture.txt
     #tcpdump -i eth0 -nn -vv host 118.91.171.10 and port 80 -c 100 > /var/log/capture.cap

13 . CAPTURE NETWORK
     #tcpdump -i eth0 -nn net 118.91.171.0/24
 
Note : Capturing for network can only be for classful network and we cannot define classless network. tcpdump will simply not capture the packet




Comments

Popular posts from this blog

High Availability Palo Alto (Active/Standby)

 High Availability is usually performed in most of the data centers networks today which ensures application availability . High Availability is usually achieved in case one of the appliance goes down or have some physical or logical connectivity issues.  Achieving high availability in Palo Alto firewall is relatively very easy. Palo Alto firewall can work in both Active/Standby mode or in Active/Active. We will basically be talking about Active/Standby mode in this article. There are basically two links that needs to be configure in Palo Alto for HA. 1. Control Links Control Links are associated with control plane traffic which is mainly used for heartbeat exchanged, configuration synchronization. Dedicate HA ports are available in higher series of Palo Alto or even a HA interface can be created for some inband ports.   2. Data Links Data Links are mainly used for session synchronization, forwarding table synchronization. Dedicated HSCI Ports are available for highe...

In-Band vs Out of Band Management

There are always multiple ways of allocating IP address when it comes to management of routers and switches. There are dedicated management port as well as things like SVI ( Switch Virtual Interface) can always come into handy. Why to us SVI when you have a dedicated management port might always come into mind. Let me shortly explain the difference between SVI and dedicated management port and also its use case. Out of Band Management Dedicated management port with dedicate management plane  Better in terms of security More preferable In-Band Switch Virtual Interface (SVI) needs to be created  Data Plane is used instead of dedicated management plane. Not preferable in case of security kept in mind. So why In-Band is required ? So , recently I came across a scenario where I had to connect back to back management port for vPC in Nexus 9000 series switch for peer link connectivity. So, I had to create a SVI interface for managing the device . This can be one of the scenario. The ...

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...