|
Main / Tcpdump
tcpdump options: -n = no name resolution -i <dev> = specify interface -w <filename> = capture file destination (no screen print) Flags: Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are set... Filtering expression goes at end sudo tcpdump -i eth0 'src or dst port 1000' sudo tcpdump -n -c 10 -i eth0 'tcp[tcpflags] & tcp-push !=0' To get in-action stats, read /proc/<PID>/net/netstats Ignoring certain port and MAC sourcetcpdump -i eth0 "! ether src ae807a5e8002 and ! port 22" Seeing ARP framesIf you add the -e option to your tcpdump command, you'll get the ARP ethertype (0x0806) messages reported, which have a length of 42. Specific Parts of Frametcpdump -i lan6 "ether[6] == 0xae" You use index 6 for the first byte of the source MAC.
Fast dataWhat if it's coming so fast the kernel is dropping stuff? You can increase the buffer size with the -B option, for example tcpdump -B 16384 -c 1000 -i lan6 Printing data and other stuff for TCP packetstcpdump -i lo "! icmp" -e --print -U -vvv -xx No Eth frame data, no timestamp, just header stuff and a count for each packettcpdump -i lan6 "ether[12]==0xcc and ether[13]==0xcc" -# -e -t -s 14 |