which have bad connection. You can use it to catch sip packets for troubleshooting, if you work as a voice engineer too.
Before execute
this command, you need to learn how you can determine all interfaces like this;
GBSBC-1:~ # ip
link show
$ 1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
2: eth0: mtu 1500 qdisc mq state UP qlen 1000
link/ether b8:ac:6f:65:31:e5 brd
ff:ff:ff:ff:ff:ff
3: wlan0: mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:21:6a:ca:9b:10 brd
ff:ff:ff:ff:ff:ff
4:
vboxnet0: mtu 1500 qdisc noop state DOWN
qlen 1000
link/ether 0a:00:27:00:00:00 brd
ff:ff:ff:ff:ff:ff
5: pan0: mtu 1500 qdisc noop state DOWN
link/ether c2:10:fa:55:8e:32 brd
ff:ff:ff:ff:ff:ff
6:
vmnet1: mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:50:56:c0:00:01 brd
ff:ff:ff:ff:ff:ff
11: ppp0: mtu 1496 qdisc pfifo_fast state UNKNOWN qlen
3
link/ppp
lo : Loopback interface
eth0 : Ethernet network interface
wlan0 : Wireless
ethernet interface
ppp0 :
Point to point network interface
vboxnet0 :
Virtual machine interface working in bridge mod
Lets starts to
learn it;
n When you execute tcpdump command without
any option, you’ll capture all packets from all interfaces. But if you filter
just an interface, “-i” option will help you to filter it.
Example:
“-c” option helps to you for giving
packets until you determined number.
If you want to observe tcpdump outputs syntax
with ASCII, you should execute tcpdump command with “-A” which shown below;
Sometimes, outputs of tcpdump command may be ask to be kept in the file. For this case, “-w” option will you help to you.
root@anakin:~#
tcpdump -c 5 -i eth0 -w egemen.pcap
tcpdump:
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets
captured
13 packets
received by filter
0 packets
dropped by kernel
*You can use “tcpick”
command in order to read .pcap file.
Filtering Host(src-dst)
and Port
port
Match only
packets coming from or going to specific port
port 69
host
Match only
packets coming from or going to spesific host
host B
src
Match only
packets coming from (src=source) spesific src host
src host A
dst
Match only
packets going to (dst=destination) spesific host
dst host C
Throughout
these examples you can use standard logic to combine different filters.
and
or &&
or
or ||
not
or !
Change how you
want to see output of tcpdump command:
“-t” helps to
change format of outputs and you can execute like below;
-t >> Don't print a timestamp on each dump
line.
-tt >> Print an unformatted timestamp on
each dump line.
-ttt >> Print a delta between current and
previous line on each dump line.
-tttt >> Print
a timestamp in default format proceeded by date on each dump line.
-ttttt >> Print a delta between current and first
line on each dump line.
With “-n”, it does not convert host addresses to name.
“-nn” does not convert protocol and port numbers etc. to
name.
“-v” >> Helps to you for more detail packets like values of TTL and ID.
"-vv" >> Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets
"-vvv" >> Even more verbose output. For example, telnet SB ... SE options are printed in full.
All above explanations are executed common from all
engineers who work different departments. If you want to check more detail
information about tcpdump, you can visit the tcpdump main website;
https://www.tcpdump.org/tcpdump_man.html
Please do not hesitate to ask any question about tcpdump with
using my e-mail.
