[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do you use TCPDump?

On Thu, Mar 3, 2011 at 09:43, Mike Viau <viaum@sheridanc.on.ca> wrote:

> On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802701@jasonhsu.com> wrote:
> I have it installed, and I can look up the parameters in the command.
> What I don't understand is how I use it to investigate intrusions.  Can someone shed some light on this?

What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify
one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
tcp and udp.

You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host.

The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n  'tcp and port 80 and dst'

One tip is to pass the -n switch when running because DNS queries slow down captures.

Hope that helps :)


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl" target="_blank">http://lists.debian.org/[🔎] BAY148-w174AE84D50A7F526D341E4EFC30@phx.gbl

Tcpdump and Ethereal are very similar in terms of capture filters.  They both use libpcap.

Reply to: