Tcpdump cheat sheet
In another post we have explained the tcpdump command as its various usage. Tcpdump cheat sheet is the quick reference for taking captures with different filters. The examples are short and easy to understand. Each cheat sheet command have detail example.
Capture tcpdump ICMP:
Icmp (Internet control message protocol ), is quite common protocol for network trouble shooting. Icmp uses IP protocol for delivering of protocol data to the peer. In network every device have functionalities for handling and generating icmp events. If some one want to see the events on wire then there will be need to capture the desired packets. Tcpdump command have the option where you can specify the icmp as filter for capture
[root@CentOs]# tcpdump -i any icmp
Here we have captured on all interface on a linux machine, you can specify only the desired interface. Next is how we can test if tcpdump icmp is working ? There is a message called ECHO request and answer which the ICMP provides. From Windows (OS) cmd type the "ping ip_addres". There ip address , is the address of linux machine on which tcpdump command is running.
You will see following on linux terminal.
17:43:10.794761 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 813, length 40 17:43:10.794826 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 813, length 40 17:43:11.891571 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 814, length 40 17:43:11.891629 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 814, length 40 17:43:12.987568 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 815, length 40 17:43:12.987624 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 815, length 40 17:43:14.098963 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 816, length 40 17:43:14.098987 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 816, length 40
ICMP have many messages ECHO is one of the them. May be one wants to capture only ECHO packet. This reduces the size of capture and easy to analyse packets in wireshark from a captured file. Following is the command.
[root@CentOs]# tcpdump -i any icmp[icmptype] == 8
Here 8 is the numeric value for ECHO message type.
Example command captures network packets on a particular port. Following example captures the packets on port 5060
# tcpdump port 5060
The above just captures on a single port , for multiple port following is the command
# tcpdump port 5060 or port 5061 or port 5062
If there is multiple port (e.g 100) then the above command is difficult to use. Specially when ports are in a range. Following is command for capturing packets for a port range.
# tcpdump portrange 5060-5062 For destination port #tcpdump -iany dst port 5060 For source port #tcpdump -iany dst port 5060
Tcpdump ip filter:
For an IP address only. The IP can be either source or destination Ip.
#tcpdump host 192.168.1.80
For capturing on for multiple ip addresses.
#tcpdump host 192.168.1.80 or 192.168.1.81
Tcpdump command for capturing from a particular source ip.
# tcpdump -iany src host 192.168.2,100
For a destination ip filter.
#tcpdump -iany dst host 192.168.3.100
Above is an example for a single ip filter. There are situations when need to capture for a range of ip addresses. Here comes the filter for sub net mask. A sub net mask identifies the network id and reserve bits for host id. The example for sub net mask is 255.255.255.0, this says that 24 bits are for network id and renaming for host id. The following example captures where source or destination ip have network id 192.168.3 ,
#tcpdump -any net 192.168.3.0/24 For source only
#tcpdump -n src net 192.168.3.0/24 For destination only
#tcpdump -n dst net 192.168.3.0/24
Capture on limited number of packets say N.
#tcpdump -c N
After N number of packets tcpdump will stop. This is useful when you wan to capture few initial packets.
Read packets bigger than from a fix size (N):
# tcpdump greater N
The above commands capture on packets those are greater than N number of bytes.