Skip to main content

TCPDUMP - A MUST !

 tcpdump is one of the most powerful linux/unix commands that helps us to analyze the network packet mainly for troubleshooting purpose. It mainly captures packets received or transferred over a network on a specific interface . 

tcpdump is mainly used on linux/unix distro and can be easily installed.

INSTALLING TCPDUMP

$ sudo apt-get install tcpdump  [On Debian, Ubuntu and Mint]

$ sudo yum install tcpdump           [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux]

$ sudo emerge -a sys-apps/tcpdump    [On Gentoo Linux]

$ sudo pacman -S tcpdump             [On Arch Linux]

$ sudo zypper install tcpdump        [On OpenSUSE]  

TCPDUMP COMMANDS

1. CAPTURE HOST
   # tcpdump -i < interface name >  host <host ip >
   # tcpdump -i eth0 host 10.1.1.1

2. NO DOMAIN LOOKUP
    # tcpdump -i eth0 -n host 8.8.8.8

3. NO DOMAIN AND PROTOCOL LOOKUP
   # tcpdump -i eth0 -nn host 8.8.8.8

4. CAPTURE SERVICE
    # tcpdump -i eth0 -nn port 443

5. CAPTURE HOST AND SERVICE
   # tcpdump -i eth0 -nn host 118.91.171.10 and port 80

6. CAPTURE HOST AND PROTOCOL
   # tcpdump -i eth0 -nn host 118.91.171.10 and udp 

7. NEGATE FILTER
   # tcpdump -i eth0 -nn host 118.91.171.10 and not icmp -c 5

8. COMPLEX COMBINATION
   # tcpdump -i eth0 -nn "dst 8.8.8.8 or dst 1.1.1.1" and port 443 -c 10

9. CAPTURE MAC ADDRESS
    #tcpdump -i eth0 -nn -e host 8.8.8.8 and icmp -c 100

10. VPN TRAFFIC 
    #tcpdump -i eth0 -nn host 118.91.171.10 and esp -c 50 ( FOR PHASE II )
    #tcpdump -i eth0 -nn host 118.91.171.10 and udp and port 500 -c 100 ( IKE PHASE I )

11. VERBOSE ( PROVIDES HEADER LEVEL INFO )
     #tcpdump -i eth0 -nn -vv host 118.91.171.10 and tcp -c 100

12. SAVE THE CAPTURE FILES
     #tcpdump -i eth0 -nn -vv host 118.91.171.10 and port 80 -c 100 > /var/log/capture.txt
     #tcpdump -i eth0 -nn -vv host 118.91.171.10 and port 80 -c 100 > /var/log/capture.cap

13 . CAPTURE NETWORK
     #tcpdump -i eth0 -nn net 118.91.171.0/24
 
Note : Capturing for network can only be for classful network and we cannot define classless network. tcpdump will simply not capture the packet




Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

Device Mapper Multipath with LVM in Oracle Linux

This blog describes you the step by step procedure for configuring multipath in liunx using Device Mapper and will also help you understanding what Device Mapper is. Simply stating Device Mapper is an interface to Linux Kernel which helps us to configure multiple I/O path between the server and the storage arrays.  Device Mapper interface allows the linux kernel to communicate with LVM Logical Volumes, EVMS Volumes , Software RAID, multipath and many other solutions. Multipathing is a must for all those mission critical applications as we all know that data is the most important thing in an enterprise network . Let me now share the installation process for multipathing. Installing Device Mapper #yum install device-mapper-multipath -y #rpm -qa | grep device-mapper Enabling Multipath #cp /usr/sare/doc/device-mapper-multipath - */multipath.conf   /etc/multipath.conf #mpathconf -enable -user_firendly_names n #modprobe dm_multipath #lsmod | grep dm_multip...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more