Archive for the tag 'Tcpdump'

SBDavid

tcpdump - dump traffic on a network

tcpdump - dump traffic on a network

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.

Example:

root@u12:~# tcpdump -nnvvXS -c2 port 80

-n
Don’t convert host addresses to names. This can be used to avoid DNS lookups.

-nn
Don’t convert protocol and port numbers etc. to names either.

-vv
Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-X
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.

-S
Print absolute, rather than relative, TCP sequence numbers.

Tcpdump to monitor SMTP activity from a IP or range of IP

The tcpdump is a useful utility to monitor the network activity in the server.

tcpdump -i eth0 -n src 192.168.1.22 \or dst 192.168.1.22 -w smtp.tcpdump -s 2048

You can monitor the SMTP activity to find out the mail account used by spammer.
The above command will monitor the SMTP activity from the IP address 192.168.1.4 and will log to the file smtp.tcpdump.

Use the following command to monitor a range of IP

tcpdump -i eth0 -n src net 119.91.0.0/16 \or dst net 119.91.0.0/16 -w smtp.tcpdump -s 2048

The above command will monitor the range of IP starting with 119.91. You can use Wireshark to analyze the dump file.

For VPS you need to use venet0:0

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]

How to check packet Flows using tcpdump

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.

One of the most common uses of tcpdump is to determine whether you are getting basic two-way communication.

Command Options:

icmp View icmp packets
tcp port port-number View TCP packets with packets with either a source or destination TCP port of port-number
udp port port-number View UDP packets with either a source or destination UDP port of port-number

Example:

tcpdump -i eth0 icmp

By using the -w filename option you can send the entire Ethernet frame, not just a brief IP information that normally goes to the screen, to a file. This can then be analyzed by graphical analysis tools such as Wireshark, which is available in both Windows and Linux

tcpdump -i eth0 -w /tmp/tcp.dump tcp port 22

The -n switch stops DNS name lookups and will make tcpdump work more reliably.

tcpdump -i eth0 -n tcp port 22

Tcpdump command to monitor the SMTP activity from a IP or range of IP.

The tcpdump is a useful utility to monitor the network activity in the server.
You can monitor the SMTP activity to find out the mail account used by spammer.

tcpdump -i eth0 -n src 192.168.1.4 \or dst 192.168.1.4 -w smtp.tcpdump -s 2048

The above command will monitor the SMTP activity from the IP address 192.168.1.4 and will log to the file smtp.tcpdump.

Please use the following command to monitor a range of IP

tcpdump -i eth0 -n src net 219.91.0.0/16 \or dst net 219.91.0.0/16 -w smtp.tcpdump -s 2048

The above command will monitor the range of IP starting with 219.91. You can use less or Wireshark to analyze the dump file. You need to replace the network device with your network device EG : venet0:0 in a VPS.