Reese Knowledgebase

Various tcpdump commands

View Kristian Reese's profile on LinkedIn


If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 133
by: Reese K.
Posted: 10 Oct, 2013
Last updated: 10 Oct, 2013
Views: 4566

Various tcpdump use cases

capture DHCP requests


PXE pxedhcp01 ~ # tcpdump -i eth1 \(port 67 or port 68\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
16:12:28.564974 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:28.565003 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:28.565449 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:28.565545 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:32.602043 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:32.602119 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:32.602353 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:32.602537 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:36.666578 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:36.666629 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:36.666911 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:36.667052 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
PXE pxedhcp01 ~ #

tcpdump -n -i any port 67 or port 68 or port 69 will also work

Capture traffic from specific MAC address

tcpdump "ether host 00:14:5e:3c:93:ea"

Capture all traffic except ssh

tcpdump -n -i eth0 not port ssh

This article was:   Helpful | Not Helpful
Prev   Next
turning off auto indent and comments in vi     Failed to activate new LV

RSS