Thursday, June 23, 2011

Good Syntax Examples for TCP DUMP command in Linux / Checkpoint Secureplatform

TCP Dump
How can I show ALL traffic on a specified interface?

tcpdump -i eth0

Will show ALL traffic on interface eth0.

How can I capture a specified number of packets?

tcpdump -c 20 -i eth0

The -c argument specifies the number of packets to capture. For example, this command will capture 20 packets on the specified interface eth0 and quit:

How do I show the MAC address in the capture?

tcpdump -e -i eth0

This filter will display the MAC address as well as the basic information.
How can I look for the Welchia Worm with TCPDUMP?

tcpdump -tnn -i eth0 "icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA && icmp[10]==0xAA && icmp[11]==0xAA"

Sure can. Try this script. Keep in mind that your sniffer will need to be located where it can see all traffic on your network for this to be useful.

How can I use TCPDUMP to determine the top talker on my network?

tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

Depending on how busy your network is, you might want to lower the `-c 20000' (packet count) to fit your needs. This script will capture 20,000 packets and sort by top talkers

No comments: