What is TCPDUMP ?
Dumping traffic logs on a network or in other words captures network traffic and prints.
Most commonly used Query :
sudo tcpdump -n -i any port 443
எங்க officeல ஒரு server ஒன்னு ஓடுது , அதோட port வந்து 8080 . இப்ப இந்த portக்கு எங்க எல்லாம் இருந்து request வருதுன்னு பாக்க போறேன்,
sudo tcpdump -i any port 8080
என்னோட serverக்கு ( 8080) இந்த IPல இருந்து request வருதான்னு பாக்கணும் ,
sudo tcpdump port 8080 and host 1.3.5.7
Networkல எதெல்லாம் FAIL ஆகுது i.e DNS queries,
sudo tcpdump 'udp[11] & 0xf==3'
To take the compete dump of network on the server for analysis, ( give control + x to terminate , normally take for 1 min )
sudo tcpdump -w packets.pcap
Important THINGS to be noted in a TCP DUMP :
UDP Packet
TCP Packet
How the TCPDUMP filters the port or IP ?
- It uses a concept called " BPF Filters ".
- If a tcpdump command executed for port 443 , then its BPF filters the port 443 and provides the output.
- Interesting eg., if you provide udp[11] & 0xf==3 , this filter checks for the DNS response code "NXDOMAIN" and provides the output.
Commands Explanation :
Network commands :
ping
nslookup/dig
netstat/ss
ifconfig
ip
arp
ngrep
traceroute/mtr
nc
iptables/nftables
sysctl
ethtool
nmap
whois
lsof
telnet
ssh
network manager
paping
nethogs/ab/nload/iptraf/netperf/iperf/iftop/netsniff-ng
openvpn
socat
Note :
1.PCAP stands for Packet Capture, which is a file format used to store network packet data captured from a network interface. It is commonly associated with network analysis and troubleshooting activities. PCAP files contain the raw data of network packets, including the headers and payloads of each packet.
2.To analyze .pcap file , most commonly used tool is Wireshark. Powerful packet analysis tool & graphical interface. Also this tool understands all the below mentioned protocols too ,
3.Berkeley Packet Filter - BPF
Reference :