Hi David, Your whole series of videos are so great, and you are able to make other understand in much better way than any other person or sources on internet. These are by far the best videos on internet.
Watched it twice and pause-n-take notes many times second time around. It is a great investment as tcpdump is the only tool left for me to debug mysterious networking problems including "connection refused" and so on. Thank you!
David, the best illustration on TCPDUM I have ever seen. I would compare it like someone getting an orange and and juicing it and giving it to his viewers. I loved it . You must be a very nice person to spend your own personal time and sharing your know how with others.. Kudos to you !!!. Thank you !!
This is an excellent tutorial! I do have a question regarding the time stamps in the output. Do these time stamps denote the time when the packet transmission is complete, has started or when the packet was queued for transmission? Exactly when are these packet details picked up? Thanks a lot again.
Hi Peshal - I don't know the answer to this, but questions like this highlight gaps in my knowledge, so thanks! I'll be learning more about it in relationship to linux queuing etc.
hello sir, Is tcpdump analysis or capture purpose tool only or Could tcpdump be used for generation of packets to a specific dst ip address from a source machine just like an attack.
Tcp Dump 1. Version check: - tcpdump -h 2. To check available interfaces on VM: - tcpdump -D 3. Checking tcpdump on all interfaces: - tcpdump -i any 4. Stop tcpdump after a specified number of packets: - tcpdump -i any -c 5 (This one stops the capture after generating 5 packets ) 5. Show tcpdump in form of IPs and not FODN names: - tcpdump -i any -c 5 -n (Using -n will show IP and port numbers. If not used then the utility will tigger reverse DNS lookups to determine IP) 6. To limit capture size use -s option: - tcpdump -i any -c 5 -n -s1024 7. To check with proper sequence number use this: - tcpdump -i any -c20 -n tcp and dst port 39952 -t 8. Save captures to a file: - tcpdump -i any -w capture.pcap 9. Use -v option while performing captures to a file to see wether filter is receiving any packets or not: - tcpdump -i any -w capture.pcap -v 10. Reading existing files: - tcpdump -n -r capture.pcap 11. Use pipe (|) and less while viewing pcap files so that you can scroll through them: - tcpdump -n -r capture.pcap | less 12. To check packets from one particular host only: - tcpdump -i eth1 -n host 10.0.0.4 -c10 13. To check packets from one particular host from one side either source or destination only: - tcpdump -i eth1 -n host src 10.0.0.4 -c10 - tcpdump -i eth1 -n host dst 10.0.0.4 -c10 14. Use “and port ” to filter traffic for that port only: - tcpdump -i eth1 -n host 10.0.0.4 and port 80 -c10 15. Between two host: - tcpdump -i eth1 -n host 10.0.0.4 and host 192.168.0.4 -c10 16. For composite types i.e. using “and-or”: - tcpdump -i eth0 -n “host 192.168.0.4 \ > and (port 80 or port443)” Use (“”) in such commands 17. Based on whole network: - tcpdump -i eth0 -n -c 50 “src net 192.168.00/16 \ > and not dst net 192.168.0.0/16 and not dst net 10.0.0.0/16” 18. Based on mac address: - tcpdump -i eth0 ether host 28:16:2e:1f:25:49 -n -c50 Here “ether host is used to refer mac addr” 19. Mac addr are not visible by default so we use “-e” to see mac addr: - tcpdump -i eth0 ether host 28:16:2e:1f:25:49 -n -c50 -e 20. To tcpdump ipV6 IPs use ip6 a th end - tcpdump -i any ip6 21. Capture based on flags: - tcpdump -i any “tcp[tcpflags] \ > & tcp-syn !=0” Or > &tcp-rst !=0” Adjusting seeing tcpdump outputs- 22. -XX option shows more details specifically in hex and ascii format - tcpdump -i eth0 port 80 -c50 -XX 23. In place of using -XX we can use -A to get only te ASCII value and not the hex value: - tcpdump -i eth0 port 80 -c50 -A 24. Increasing levels of details can we fetched from -v or -vv or -vvv: - tcpdump -i eth0 port 80 -c50 -vvv 25. To see minimal quiet display ouput use -q: - tcpdump -i eth0 port 80 -c50 -q Example: Time ip vm1.port > vm3.ssh: tcp0 Time ip vm3.ssh > vm1.port: tcp0 . . . 26. To remove time frame in any tcpdumps use “-t” - tcpdump -i eth0 port80 -c50 -q -t ip vm1.port > vm3.ssh: tcp0 ip vm3.ssh > vm1.port: tcp0 . . 27. Use 3 “-ttt” to check time difference between consecutive packets in the ouTput. This can be used to check spikes or latencies In packets: - tcpdump -i eth0 -c50 -q -ttt 28. Use 5 “-ttttt” shows the time since the first packet capture. Used to lookup how long does the certain transactions took to complete. - tcpdump -i eth0 -c50 -q -ttttt 29. For human readable format use “-tttt” - tcpdump -i eth0 -c50 -q -tttt # Traffic direction (*) Relation to Firewall Virtual Machine Name of inspection point Notion of inspection point 1 Inbound Before the inbound FW VM Pre-Inbound “i” 2 Inbound After the inbound FW VM Post-Inbound “I” 3 Outbound Before the outbound FW VM Pre-Outbound “o” 4 Outbound After the outbound FW VM Post-Outbound “O BR Amarpreet Singh
David, if my machine has many interfaces and i don't know by which interface i will capture traffic. i need to use "-i any" to see if my machine is getting any traffic or not. If my machine is getting traffic then how would i know the exact interface??
I find that tricky too. Personally, I use the "-e" option which should show destination MAC address of packets, then "ip link" or the equivalent to see which interface on the target system owns that MAC address. This doesn't work with broadcasts though.
Your Video helped me out a few hours back...Inspite of having Telnet and TCP connectivity I was unable to connect with a Ora NoSQL Node from my VH. The tcpdump -i eth0 -w ora.pcap showed its trying to connect with Default ports in Orcale intalled VM so was able to define servicerange ports and can connect it now.. Got the result from your clip specifically.. Although I used Wireshark to analyze the pcap file as was not aware of the reading option from the Linux option itself. So If I use the commnd (from root access) in the VM > tcpdump -r ora.pcap it should serve the purpose I hope.
sudo is not necessary. All tcp dump needs is CAP_NET_RAW. Run sudo setcap cap_net_raw=eip /usr/bin/tcpdump to set net_raw capability for tcpdump binary and then you can run it without root permissions.
what was the point of this video ? was it to show off or to teach ? you go through it very fast barely explaining anything as if you are reading a script , I watched other videos that are on a slower pace where they take time to explain things then I understood tcpdump.