Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Protect, detect, and respond—Dataprise keeps your business secure.
Maximize uptime with with industry-leading DRaaS.
Swiftly mitigate cyber threats and restore security.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Empower Your Municipality with Secure, Reliable IT Services
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Grow through acquisition and partnership with Dataprise.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Explore our trusted partnerships with leading tech innovators.
Posts
By: Stephanie Hamrick
Table of content
This document describes a variety of tcpdump commands to make life easier and more transparent. TCPDUMP is used on ubiquity firewalls, unix boxes and a variety of other linux- or unix-based networking equipment. The following primer covers the basics of tcpdump and most commonly used options that I have found useful.
By default, tcpdump turns on name resolution. For all layer-3 and layer-4 sources and destinations. tcpdump automatically looks up the hostname as well as commonly used ports and translates them for the viewer. Being that most folks are looking for IP addresses and ports when running a network analyzer, first thing we do is turn off name resolution.
tcpdump -n
Without:
With:
Ever need to grab the mac address of a device or troubleshoot an ARP problem? The -e switch is the key to your wildest layer-2 dreams:
So by default you can see ARP requests, but where is the layer-2 address?
As you can see, in addition to basic layer-3 information you also get
What if you want to look at flags or checksums in an IP packet. By default you get basic TCP flags, but much of the rest is just hidden from view. TCPDump has 3 levels of verbosity all controlled with the -v setting:
Say you don’t care about the headers but the payloads of packets; to view those use the -x option to show the payload in hex and the -X option for hex with an ascii translation:
Here are options for capturing specific or all interfaces on a device:
Simple stuff.
If you want to capture only conversations to or from 10.222.2.201, use the following
If you want to capture only conversations going to 201, use dest host $IP.
If you want to capture only conversations originating from 201, use src host $IP
For specific protocols you can just type certain keywords for the protocol at the begining of your filter. For instance tcpdump icmp would only capture ICMP packets tcpdump udp only udp packets etc…
Just like host, you can use tcpdump src port $port for source ports, tcpdump dest port $port for destination ports or tcpdump port $port for either.
Capturing just packets with certain flags set in your filters can be very handy. Here we just look for connection resets:
Use these just like any other filter, at the end of any options. If you are adding to a host or any of the other filters above, put the whole thing in quotes.
Many instances exist where you just want to filter for just traffic to a certain host going to a particular port, using just specific flags, or maybe all traffic except from a specific port. Lucky for us, tcpdump supports ‘and’ and ‘or’ operators as well as grouping parens and not statements.
As soon as you have a space of any kind in your filter you want to encapsulate the whole thing in quotes.
For instance to look for any traffic coming from 10.222.2.201 except over port 22: tcpdump “host 10.222.2.201 and not port 22”
Or maybe you want to filter out port 80 traffic as well, to do this, use grouping parents and an ‘or’ operator: tcpdump “host 10.222.2.201 and not (port 22 or port 80)”
Or perhaps you just want to look for RST packets not over these two ports: tcpdump “host 10.222.2.201 and not (port 22 or port 80) and tcp[tcpflags] == tcp-rst”
There are many combinations, just remember *If there is any question on the order your statements will be applied, use grouping parens.* As soon as you have multiple filters, use quotes around the whole thing.
mfuller, PEI
Looking for more content like this? Check out the Networking Section of our blog or subscribe below!
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.