Tcpdump man pages include complete filter syntax however, here are some of the more useful ones: Specifying hosts host 192.168.1.10 - capture traffic with source or destination is 192.168.1.10 dst host 192.168.1.10 - capture traffic with destination host is 192.168.1.10 src host 192.168.1.10 - capture traffic where source is 192.168.1.10 Specifying networks net 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 dst net 192.168.1.0 mask 255.255.255.0 - capture traffic destined for 192.168.1.0/24 network src net localnet - capture traffic coming from local network network Specifying ports port 80 - capture traffic to or from port 80 (source port 22 and destination port 50000 will be captured. This will clean up the timestamp and avoid name resolution: tcpdump -ttttnnr capture.pcap "host 192.168.1.10 It is recommended to use the following commandline to speed up reading existing pcap files. produced by tcpdump -w capture.pcap -s 1550), you can utilize -r flag combined with the same filter: tcpdump -r capture.pcap "host 192.168.1.10" In case you need to filter a previously saved pcap file (e.g. Here is a simple example to capture LIVE packets coming to and from 192.168.1.10: tcpdump -i eth0 -ttttnn "host 192.168.1.10" To include a filter append a quoted filter string in the command line.
Tcpdump can be configured to only capture traffic according to specified filter. There are several tools and techniques used to simplify searching and extraction of useful data from captured data. Packet filtering is an important skill when capturing and managing large network dumps.
0 kommentar(er)
