Comando tcpdump - exemplos de uso
Dica publicada em Linux / Comandos
Comando tcpdump - exemplos de uso
Monitorando as conexões pela interface eth0 com destino ao host 192.168.210.201 sem resolver nomes ou portas:
# tcpdump -i eth0 dst 192.168.210.201 -nn
09:23:09.826907 IP 192.168.210.5.22 > 192.168.210.201.2210: P 188964:189112(148)
ack 833 win 8576
09:23:09.826958 IP 192.168.210.5.22 > 192.168.210.201.2210: P 189112:189260(148)
ack 833 win 8576
Monitorando as conexões pela interface eth0 com origem do host 192.168.210.201 e com destino o host 192.168.210.5 sem resolver nomes ou portas:
# tcpdump -i eth0 src 192.168.210.201 and dst 192.168.210.5 -nn
09:24:42.805222 IP 192.168.210.201.2210 > 192.168.210.5.22: . ack 1005731904 win
65287
09:24:43.003885 IP 192.168.210.201.2210 > 192.168.210.5.22: . ack 133 win 65155
Monitorando as conexões pela interface eth0 com origem do host 192.168.210.201 e com destino o host 192.168.210.5, MENOS a porta 22 (ssh), sem resolver nomes ou portas:
# tcpdump -i eth0 src 192.168.210.201 and dst 192.168.210.5 and not port 22 -nn
09:27:40.065359 IP 192.168.210.201.2346 > 192.168.210.5.98: . ack 3794525559 win
64846
09:27:40.232109 IP 192.168.210.201.2346 > 192.168.210.5.98: F 0:0(0) ack 1 win
64846
Monitorando as conexões pela interface eth0 tanto origem como destino o host host 192.168.210.201:
# tcpdump -i eth0 host 192.168.210.201 -nn
09:28:12.404899 IP 192.168.210.5.22 > 192.168.210.201.2210: P
2104076:2104224(148) ack 9465 win 16080
09:28:12.404943 IP 192.168.210.5.22 > 192.168.210.201.2210: P
2104224:2104372(148) ack 9465 win 16080
Monitorando as conexões pela interface eth0 com origem do host 192.168.210.201 e com destino o host 192.168.210.5, MENOS a porta 22 (ssh), sem resolver nomes ou portas e inserindo a saída do comando no arquivo log_tcpdump (no diretório corrente):
# tcpdump -i eth0 src 192.168.210.201 and dst 192.168.210.5 and not port 22 -nn -w log_tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
^C7 packets captured
7 packets received by filter
0 packets dropped by kernel
# ls
log_tcpdump
Monitorar conexões entrantes / saintes na porta 80 (http) na interface eth0 (ao não especificar device de escuta "-i ethX", por padrão a interface eth0 é escutada):
# tcpdump port 80
09:37:00.589858 IP 5b.16.344a.static.theplanet.com.http >
master.ctberrini.com.br.46682: P 814487551:814488703(1152) ack 4015645779 win 1758
09:37:00.664095 IP master.ctberrini.com.br.46682 >
5b.16.344a.static.theplanet.com.http: . ack 1152 win 0
09:37:01.830973 IP 5b.16.344a.static.theplanet.com.http >
master.ctberrini.com.br.46682: . ack 1 win 1758
# tcpdump -i eth0 dst 192.168.210.201 -nn
09:23:09.826907 IP 192.168.210.5.22 > 192.168.210.201.2210: P 188964:189112(148)
ack 833 win 8576
09:23:09.826958 IP 192.168.210.5.22 > 192.168.210.201.2210: P 189112:189260(148)
ack 833 win 8576
Monitorando as conexões pela interface eth0 com origem do host 192.168.210.201 e com destino o host 192.168.210.5 sem resolver nomes ou portas:
# tcpdump -i eth0 src 192.168.210.201 and dst 192.168.210.5 -nn
09:24:42.805222 IP 192.168.210.201.2210 > 192.168.210.5.22: . ack 1005731904 win
65287
09:24:43.003885 IP 192.168.210.201.2210 > 192.168.210.5.22: . ack 133 win 65155
Monitorando as conexões pela interface eth0 com origem do host 192.168.210.201 e com destino o host 192.168.210.5, MENOS a porta 22 (ssh), sem resolver nomes ou portas:
# tcpdump -i eth0 src 192.168.210.201 and dst 192.168.210.5 and not port 22 -nn
09:27:40.065359 IP 192.168.210.201.2346 > 192.168.210.5.98: . ack 3794525559 win
64846
09:27:40.232109 IP 192.168.210.201.2346 > 192.168.210.5.98: F 0:0(0) ack 1 win
64846
Monitorando as conexões pela interface eth0 tanto origem como destino o host host 192.168.210.201:
# tcpdump -i eth0 host 192.168.210.201 -nn
09:28:12.404899 IP 192.168.210.5.22 > 192.168.210.201.2210: P
2104076:2104224(148) ack 9465 win 16080
09:28:12.404943 IP 192.168.210.5.22 > 192.168.210.201.2210: P
2104224:2104372(148) ack 9465 win 16080
Monitorando as conexões pela interface eth0 com origem do host 192.168.210.201 e com destino o host 192.168.210.5, MENOS a porta 22 (ssh), sem resolver nomes ou portas e inserindo a saída do comando no arquivo log_tcpdump (no diretório corrente):
# tcpdump -i eth0 src 192.168.210.201 and dst 192.168.210.5 and not port 22 -nn -w log_tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
^C7 packets captured
7 packets received by filter
0 packets dropped by kernel
# ls
log_tcpdump
Monitorar conexões entrantes / saintes na porta 80 (http) na interface eth0 (ao não especificar device de escuta "-i ethX", por padrão a interface eth0 é escutada):
# tcpdump port 80
09:37:00.589858 IP 5b.16.344a.static.theplanet.com.http >
master.ctberrini.com.br.46682: P 814487551:814488703(1152) ack 4015645779 win 1758
09:37:00.664095 IP master.ctberrini.com.br.46682 >
5b.16.344a.static.theplanet.com.http: . ack 1152 win 0
09:37:01.830973 IP 5b.16.344a.static.theplanet.com.http >
master.ctberrini.com.br.46682: . ack 1 win 1758
Grata!