Tcpdump

From Federal Burro of Information
Jump to navigationJump to search

also Wireshark

Dump Syslog packets (tcp)

tcpdump -XSs 0 host 192.168.1.20 and tcp dst port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:02:40.666403 IP mummu.52726 > cydonia.shell: P 2549598918:2549598957(39) ack 2091700838 win 2920
     0x0000:  4500 004f 8c6c 4000 4006 2a98 c0a8 0114  E..O.l@.@.*.....
     0x0010:  c0a8 0140 cdf6 0202 97f7 cac6 7cac d266  ...@........|..f
     0x0020:  5018 0b68 bf60 0000 3c31 333e 4e6f 7620  P..h.`..<13>Nov.
     0x0030:  3231 2030 303a 3032 3a31 3020 4f70 656e  21.00:02:10.Open
     0x0040:  5772 7420 726f 6f74 3a20 7465 7374 0a    Wrt.root:.test.


ip.dst == 98.158.95.104 and tcp.dstport == 993

DNS

tcpdump -i eth0 -vvv -s 0 -l -n port 53


Wireshark

shorten tcpdump or snoop files by time via wireshark example

"\Program Files\Wireshark\editcap" -A "2013-08-24 18:18:21" -B "2013-08-24 18:18:22" linuxbaremetal_to_nexenta-nexenta_pov.snoop linuxbaremetal_to_nexenta-nexenta_pov-1sec.snoop

some filters:

remove RDP
!(tcp.port == 3389 || udp.port == 3389)

Chrooting in Gentoo

Wut?

 04:45:39 athena@athena /var/lib/tcpdump # ls -la /tmp/curl.out
 ls: cannot access /tmp/curl.out: No such file or directory
 04:45:42 athena@athena /var/lib/tcpdump # tcpdump -i lo -w /tmp/curl.out
 tcpdump: /tmp/curl.out: No such file or directory
 04:45:46 athena@athena /var/lib/tcpdump #
 04:53:02 athena@athena /var/lib/tcpdump # strace tcpdump -i lo -w /tmp/curl.out
 chroot("/var/lib/tcpdump")              = 0
chdir("/")                              = 0
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/group", O_RDONLY|O_CLOEXEC)  = -1 ENOENT (No such file or directory)
setgroups32(1, [116])                   = 0
setgid32(116)                           = 0
setuid32(106)                           = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0DcZ\267", 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
recv(3, 0xbfa9742f, 1, MSG_TRUNC)       = -1 EAGAIN (Resource temporarily unavailable)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0w\267\340\300\35\10", 8) = 0
open("/tmp/curl.out", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory)
write(2, "tcpdump: ", 9tcpdump: )                = 9
write(2, "/tmp/curl.out: No such file or d"..., 40/tmp/curl.out: No such file or directory) = 40
write(2, "\n", 1
)                       = 1
exit_group(1)                           = ?

Web capture

tcpdump -nnSs 0 'port 80' -w /tmp/out.pcap
tcpdump -i eni2bcbcd796a2 -c 10000 -nnSs 0 'port 80' -w /tmp/out.pcap
-c for count 10,000 in this case.

Capture from a container over some pipes

Assumptions:

1. only one pod deployed.

2. alpine base container ( hence the apk install )

pod=`ssh ubuntu@bastion kubectl get pod | grep podname| awk '{print $1}'`
echo ${pod}
# install tcpdump
ssh ubuntu@bastion "kubectl exec ${pod} -- apk add tcpdump"
# grab 1000 packets
ssh ubuntu@bastion "kubectl exec ${pod} -- tcpdump -s0 -c1000 -U -n -w - -i eth0 'not port 22'" > /tmp/${pod}.pcap