Difference between revisions of "Tcpdump"
From Linuxintro
imported>ThorstenStaerk m (→SNMP) |
|||
| Line 1: | Line 1: | ||
| − | tcpdump is a [[command]] that allows you to monitor your network traffic. | + | tcpdump is a [[command]] that allows you to monitor your network traffic. Let's [[set up a web server]] that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost: |
| + | # tcpdump -Ai lo port 80 | ||
| + | Once we start requesting an html page, tcpdump gets active: | ||
| + | <pre> | ||
| + | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
| + | listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes | ||
| + | 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 | ||
| + | `....(.@...................................Po..E.........0......... | ||
| + | ............ | ||
| + | 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 | ||
| + | `....(.@.................................P... | ||
| + | .go..F.....0......... | ||
| + | ............ | ||
| + | 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 | ||
| + | `.... .@...................................Po..F. | ||
| + | .h...V.(..... | ||
| + | ........ | ||
| + | 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 | ||
| + | `......@...................................Po..F. | ||
| + | .h...V....... | ||
| + | ........GET /index.htm HTTP/1.1 | ||
| + | User-Agent: Wget/1.16 (linux-gnu) | ||
| + | Accept: */* | ||
| + | Host: localhost | ||
| + | Connection: Keep-Alive | ||
| + | |||
| + | |||
| + | 21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 | ||
| + | `.... .@.................................P... | ||
| + | .ho......V.(..... | ||
| + | ........ | ||
| + | 21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272 | ||
| + | `....0.@.................................P... | ||
| + | .ho......V.8..... | ||
| + | ........HTTP/1.1 200 OK | ||
| + | Date: Wed, 18 Nov 2015 20:46:20 GMT | ||
| + | Server: Apache | ||
| + | Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT | ||
| + | ETag: "6-50dd8c82254d0" | ||
| + | Accept-Ranges: bytes | ||
| + | Content-Length: 6 | ||
| + | Keep-Alive: timeout=15, max=100 | ||
| + | Connection: Keep-Alive | ||
| + | Content-Type: text/html | ||
| + | |||
| + | hallo | ||
| + | |||
| + | 21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 | ||
| + | `.... .@...................................Po.... | ||
| + | .x...^.(..... | ||
| + | ........ | ||
| + | 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 | ||
| + | `.... .@...................................Po.... | ||
| + | .x...^.(..... | ||
| + | ........ | ||
| + | 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 | ||
| + | `.... .@.................................P... | ||
| + | .xo......V.(..... | ||
| + | ........ | ||
| + | 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 | ||
| + | `.... .@...................................Po.... | ||
| + | .y...^.(..... | ||
| + | ........ | ||
| + | ^C | ||
| + | 10 packets captured | ||
| + | 20 packets received by filter | ||
| + | 0 packets dropped by kernel | ||
| + | </pre> | ||
= Examples = | = Examples = | ||
Revision as of 20:48, 18 November 2015
tcpdump is a command that allows you to monitor your network traffic. Let's set up a web server that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost:
# tcpdump -Ai lo port 80
Once we start requesting an html page, tcpdump gets active:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 `....(.@...................................Po..E.........0......... ............ 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 `....(.@.................................P... .go..F.....0......... ............ 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@...................................Po..F. .h...V.(..... ........ 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 `......@...................................Po..F. .h...V....... ........GET /index.htm HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: localhost Connection: Keep-Alive 21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@.................................P... .ho......V.(..... ........ 21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272 `....0.@.................................P... .ho......V.8..... ........HTTP/1.1 200 OK Date: Wed, 18 Nov 2015 20:46:20 GMT Server: Apache Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT ETag: "6-50dd8c82254d0" Accept-Ranges: bytes Content-Length: 6 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html hallo 21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@.................................P... .xo......V.(..... ........ 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@...................................Po.... .y...^.(..... ........ ^C 10 packets captured 20 packets received by filter 0 packets dropped by kernel
Contents
Examples
dhcp
You can watch out for dhcp communication on your network using:
tcpdump -i eth1 port 67 and port 68
SNMP
You can display incoming snmp traps using:
tcpdump -A port 162 -l | hexdump -C
