WalkerWiki - wiki.alanwalker.uk

User Tools

Site Tools

Trace: show_connected_multicasts mov_to_.mp4 kubernetes_k8 under_monitor_displays multiple_ip_addresses_on_single_interface tcpdump
wiki:tcpdump

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:tcpdump [2017/02/28 18:00] – external edit 127.0.0.1wiki:tcpdump [2023/03/21 20:14] (current) walkeradmin
Line 1: Line 1:
 ====== tcpdump ====== ====== tcpdump ======
 +<color #db5f0b>Jan 2017 (Updated MApr 2017)</color>
 +\\ 
 +\\ 
  
 ---- ----
 +tcpdump is a tool to capture IP Packets at a command line level, its similar to the PCAP used by Wireshark (Wireshark is just a GUI to control PCAP). I say just a GUI, its rather good and saying it is 'just' a GUI is a little harsh.
 \\  \\ 
 \\  \\ 
-tcpdump is a tool to capture IP Packets at command line levelits similar to the PCAP used by Wireshark (Wireshark is just a GUI to control PCAP)I say just a GUIits rather good and saying it is 'justa GUI is a little harsh.+Originally, I was using <color #ed1c24>tcpdump</color> to capture IP traffic and write it to fileand if this is what you wish to do, then go to the section on this page called <color #ed1c24>File Capture</color>. However if you just wish to view the <color #ed1c24>tcpdump</color> output on screen, then look at the section entitled <color #ed1c24>Screen Capture</color>. 
 +\\  
 +\\  
 +==== Screen Caputre ==== 
 +\\  
 +To show the output of tcpdump on the screenuse the follwoing syntax. 
 +\\  
 +    tcpdump -i eth2 -nn 
 +\\  
 +\\  
 +The <color #ed1c24>-i eth2</color> specifies the interface you wish to monitor. the <color #ed1c24>-nn</color> tells tcpdump not to resolve port numbers to names (so won't display the word 'ftp' where it sees port 21 for example). 
 +\\  
 +\\  
 +This results in the following style output. 
 +\\  
 + 
 +<file> 
 +05:58:06.235597 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.235646 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.236112 IP 10.0.20.1.10000 > 239.0.200.1.10002: UDP, length 1316 
 +05:58:06.236238 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.236422 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.236521 IP 10.0.20.100.1234 > 239.0.100.1.1234: UDP, length 1316 
 +05:58:06.236595 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.236818 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.237060 IP 10.0.20.1.10000 > 239.0.200.1.10001: UDP, length 1316 
 +05:58:06.237211 IP 10.0.20.1.10000 > 239.0.200.1.10003: UDP, length 1316 
 +05:58:06.237402 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.237425 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.237524 IP 10.0.20.100.1234 > 239.0.100.1.1234: UDP, length 1316 
 +05:58:06.237598 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.237985 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.238063 IP 10.0.20.1.10000 > 239.0.200.1.10001: UDP, length 1316 
 +05:58:06.238213 IP 10.0.20.1.10000 > 239.0.200.1.10002: UDP, length 1316 
 +05:58:06.238425 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.238572 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.238599 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.239174 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.239423 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.239521 IP 10.0.20.100.1234 > 239.0.100.1.1234: UDP, length 1316 
 +05:58:06.239597 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.239741 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.240065 IP 10.0.20.1.10000 > 239.0.200.1.10001: UDP, length 1316 
 +05:58:06.240215 IP 10.0.20.1.10000 > 239.0.200.1.10002: UDP, length 1316 
 +05:58:06.240325 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.240423 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.240521 IP 10.0.20.100.1234 > 239.0.100.1.1234: UDP, length 1316 
 +05:58:06.240597 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.240916 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.241166 IP 10.0.20.1.10000 > 239.0.200.1.10003: UDP, length 1316 
 +05:58:06.241304 IP 10.0.20.1.10000 > 239.0.200.1.10004: UDP, length 1316 
 +05:58:06.241423 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 +05:58:06.241507 IP 10.0.85.1.60817 > 239.0.85.1.1234: UDP, length 1316 
 +05:58:06.241596 IP 10.0.20.1.1234 > 239.1.2.3.1234: UDP, length 1328 
 + 
 +18909 packets captured 
 +18913 packets received by filter 
 +0 packets dropped by kernel 
 + 
 +</file> 
 +\\ 
 \\  \\ 
 +==== File Capture ====
 \\  \\ 
 On the MFEL, we can use tcpdump to capture either the <color red>IP Input</color> or the <color red>IP Output</color>. There are many commands available for tcpdump, and I will list some later on this page, but first lets just look at a working example, because this might be all you need for now. On the MFEL, we can use tcpdump to capture either the <color red>IP Input</color> or the <color red>IP Output</color>. There are many commands available for tcpdump, and I will list some later on this page, but first lets just look at a working example, because this might be all you need for now.
wiki/tcpdump.1488304810.txt.gz · Last modified: 2023/03/09 22:35 (external edit)