Tcpdump
From Federal Burro of Information
Jump to navigationJump to search
also Wireshark
Dump Syslog packets (tcp)
tcpdump -XSs 0 host 192.168.1.20 and tcp dst port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:02:40.666403 IP mummu.52726 > cydonia.shell: P 2549598918:2549598957(39) ack 2091700838 win 2920 0x0000: 4500 004f 8c6c 4000 4006 2a98 c0a8 0114 E..O.l@.@.*..... 0x0010: c0a8 0140 cdf6 0202 97f7 cac6 7cac d266 ...@........|..f 0x0020: 5018 0b68 bf60 0000 3c31 333e 4e6f 7620 P..h.`..<13>Nov. 0x0030: 3231 2030 303a 3032 3a31 3020 4f70 656e 21.00:02:10.Open 0x0040: 5772 7420 726f 6f74 3a20 7465 7374 0a Wrt.root:.test.
ip.dst == 98.158.95.104 and tcp.dstport == 993
DNS
tcpdump -i eth0 -vvv -s 0 -l -n port 53
Wireshark
shorten tcpdump or snoop files by time via wireshark example
"\Program Files\Wireshark\editcap" -A "2013-08-24 18:18:21" -B "2013-08-24 18:18:22" linuxbaremetal_to_nexenta-nexenta_pov.snoop linuxbaremetal_to_nexenta-nexenta_pov-1sec.snoop
some filters:
- remove RDP
!(tcp.port == 3389 || udp.port == 3389)
Chrooting in Gentoo
Wut?
04:45:39 athena@athena /var/lib/tcpdump # ls -la /tmp/curl.out ls: cannot access /tmp/curl.out: No such file or directory 04:45:42 athena@athena /var/lib/tcpdump # tcpdump -i lo -w /tmp/curl.out tcpdump: /tmp/curl.out: No such file or directory 04:45:46 athena@athena /var/lib/tcpdump # 04:53:02 athena@athena /var/lib/tcpdump # strace tcpdump -i lo -w /tmp/curl.out chroot("/var/lib/tcpdump") = 0 chdir("/") = 0 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) setgroups32(1, [116]) = 0 setgid32(116) = 0 setuid32(106) = 0 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0DcZ\267", 8) = 0 fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 recv(3, 0xbfa9742f, 1, MSG_TRUNC) = -1 EAGAIN (Resource temporarily unavailable) fcntl64(3, F_SETFL, O_RDWR) = 0 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0w\267\340\300\35\10", 8) = 0 open("/tmp/curl.out", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory) write(2, "tcpdump: ", 9tcpdump: ) = 9 write(2, "/tmp/curl.out: No such file or d"..., 40/tmp/curl.out: No such file or directory) = 40 write(2, "\n", 1 ) = 1 exit_group(1) = ?
Web capture
tcpdump -nnSs 0 'port 80' -w /tmp/out.pcap
tcpdump -i eni2bcbcd796a2 -c 10000 -nnSs 0 'port 80' -w /tmp/out.pcap
-c for count 10,000 in this case.
Capture from a container over some pipes
Assumptions:
1. only one pod deployed.
2. alpine base container ( hence the apk install )
pod=`ssh ubuntu@bastion kubectl get pod | grep podname| awk '{print $1}'` echo ${pod} # install tcpdump ssh ubuntu@bastion "kubectl exec ${pod} -- apk add tcpdump" # grab 1000 packets ssh ubuntu@bastion "kubectl exec ${pod} -- tcpdump -s0 -c1000 -U -n -w - -i eth0 'not port 22'" > /tmp/${pod}.pcap