In this tutorial will present how to take the TCP dump on different OS versions. In there we are mainly focus on
• Linux Servers
• Open VMS Servers
• Windows Servers
Taking TCP dump on Linux OS.
To take TCP dump in Linux Os we are using tcpdump command. tcpdump is a network utility that listens to and records traffic on a network segment. This can be highly useful in troubleshooting and monitoring network activity. When preliminary troubleshooting does not solve a network problem, sometimes it is only at the packet or frame level that you will find your answer.
Using man tcpdump you can get the optional parameters / filters for tcpdump command. Some of Synopsis are as follows.
SYNOPSIS
tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]
[ expression ]
Steps to capture tcpdump.
1. You must logging as root user. this you can check using whoami command.
[root@xxxx xx]# whoami
root
2. Check the what are the connected ethernet interfaces. this you can get using
netstat -i
If there any error on “TX-ERR or RX-ERR” Pls.do troubleshooting using following link NetworkTroubleshoot
3. Let’s start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth0, port 9001. The dump file with be save as test.pcap.
tcpdump -w test.pcap -i eth0 tcp port 9001
4. Same time if we need to capture traffic coming on tcp port 9002.
tcpdump -w test.pcap -i eth0 tcp port 9001 or 9002
5. If need to capture traffic on two different protocols.
tcpdump -w test.pcap -i eth0 tcp port 9001 or udp \( 33210 or 33220 \)
6. If we need to capture traffic between two nodes.
tcpdump –i any –s 0 –w test.pcap.cap host 10.xxx.xxx.xxx
7. If we need to save capture file into different path.
tcpdump –i any –s 0 –w /tmp/test.pcap host 10.xxx.xxx.xxx
8. You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP 10.168.28.22 tcp port 22, how should i write?
tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22
9. By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.
tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22
10. Some version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.
tcpdump tcp portrange 20-24
11. How about reading pcap that I saved previously? The -nn is to tell tcpdump not to resolve DNS on IP and Ports
tcpdump -nnr test.pcap
12. Adding -tttt to makes the timestamp appears more readable format.
tcpdump -ttttnnr test.pcap
No comments:
Post a Comment