tcpdump
TCP dump is used to create DUMPs of network traffic. This information can then be used to troubleshoot a range of problems you may be having, eg, application issues, networking issues etc.
Note: If you write the output of a tcp dump to a file, you can then import this file into wire shark to interpret this better (make life easier)
Common Examples
In the following example
Replace x.x.x.x with the IP of the machine you are running the dump from. This IP depends on the interface (public/private)
Replace y.y.y.y with the source IP. Example, server you are connecting FROM
tcpdump -nn -tttt -i eth0 "dst port 3306" and "dst host x.x.x.x" and "src host y.y.y.y"
Description: Clean - NO time stamps and NO packet output
# time tcpdump -t -nn -i eth0 port 443
IP x.x.x.190.26753 > x.x.x.129.443: Flags [S], seq 90450879, win 29200, options [mss 1380,sackOK,TS val 176708915 ecr 0,nop,wscale 7], length 0 IP x.x.x.x.443 > x.x.x.190.26753: Flags [S.], seq 1451406549, ack 90450880, win 28960, options [mss 1460,sackOK,TS val 180471895 ecr 176708915,nop,wscale 7], length 0 IP x.x.x190.26753 > x.x.x.129.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 176708934 ecr 180471895], length 0 IP x.x.x.190.26753 > x.x.x.129.443: Flags [P.], seq 1:518, ack 1, win 229, options [nop,nop,TS val 176708934 ecr 180471895], length 517
Description: Capture packets and it has time stamps
# time tcpdump -nn -i eth0 dst port 443 -A
x:x.x:29.334109 IP x.x.x.129.50684 > x.x.x.11.443: Flags [.], ack 305494749, win 772, options [nop,nop,TS val 180530251 ecr 1978706385], length 0 E..4..@[email protected]^......<.JW.5z............ ..Ku...
Verbose
Non verbose
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes IP 82.94.168.11.443 > 195.154.211.129.50684: Flags [P.], seq 305495973:305496007, ack 1020938839, win 19, options [nop,nop,TS val 1978798886 ecr 180890262], length 34 IP 195.154.211.129.50684 > 82.94.168.11.443: Flags [.], ack 34, win 772, options [nop,nop,TS val 180900262 ecr 1978798886], length 0-vvv
IP (tos 0x0, ttl 54, id 18426, offset 0, flags [DF], proto TCP (6), length 86)
82.94.168.11.443 > 195.154.211.129.50684: Flags [P.], cksum 0x6b90 (correct), seq 305495973:305496007, ack 1020938839, win 19, options [nop,nop,TS val 1978798886 ecr 180890262], length 34
IP (tos 0x0, ttl 64, id 56819, offset 0, flags [DF], proto TCP (6), length 52)
195.154.211.129.50684 > 82.94.168.11.443: Flags [.], cksum 0x91ac (incorrect -> 0x1bc7), seq 1, ack 34, win 772, options [nop,nop,TS val 180900262 ecr 1978798886], length 0
| Flag | Description |
|---|---|
| -A | Print each packet (minus its link level header) in ASCII. Handy for capturing web pages |
| -n | Don't convert host addresses to names. This can be used to avoid DNS lookups. |
| -nn | Don't convert protocol and port numbers etc. to names either. |
| -w | Write the raw packets to file rather than parsing and printing them out |
| -i | Interface |
| src | Only capture information from a source (eg, src host x.x.x.x ) |
| dst | Only capture traffic to destination address (a server could have multiple IPs, so you can specify) |
| -t | NO time stamp - might be easier to read |
| -vvv | Even more verbose output. For example, telnet SB … SE options are printed in full. With -X Telnet options are printed in hex as well. |
tcpdump.txt · Last modified: 2024/05/23 07:26 by 127.0.0.1