tcpdump examples

Tcpdump examples

Note: tcpdump cli commands are case sensitive aware

 

Syntax

tcpdump [-options] [filters]

 

Basic Options

List all network interfaces

tcpdump –D

 

Tcpdump basic options

tcpdump –nn –vvv –X –t

-nn don’t convert address [Ethernet|IP] to names [OUI|hostname]

-v[v[v]]] print more verbose output

-X print frame payload in HEX and ASCII

-t doesn’t print timestamps

 

Run tcpdump in quick output mode

tcpdump –q

 

Capture on all interfaces only 10 packets

tcpdump –i any –c 10

 

Layer-2 filter

Display Layer-2 MAC address in output without resolving OUI

tcpdump –I eth1 –e –n

 

Layer-3 filter

Display traffic on any interface but not port 80

tcpdump –i any not port 80

 

Capture traffic on interface ETH1 from source 192.168.10.1 and destination port 22

tcpdump –i eth1 –nn –vv src host 192.168.10.1 && dst port 22

 

Capture traffic on interface ETH1 from network 192.168.10.1/24 to network 10.0.0.0/8 or 172.16.0.0/16

tcpdump –i eth1 –nnvv net 192.168.10.1 and dst 10.0.0.0/8 or 172.16.0.0/16

 

Capture traffic on interface ETH1 from network 4.4.4.0/20 ICMP or destination port 3389

tcpdump -i eth1 -nnq 'net 4.4.4.0/20 and (icmp or dst port 3389)'

Note: quotes are used to instruct tcpdump to ignore special characters like brackets in this example

 

 

Capture DNS queries which ends with “.co.il”

tcpdump -i eth1 -nnXq  udp port 53 | grep "\.co\.il$"

 

Capture DNS queries which ends with “.co.il”

tcpdump -i eth1 -nnXq  udp port 53 | grep "\.co\.il$"

 

Display HTTP headers

tcpdump -vvvs 1024 -l -A host  google.com

 

Layer-7 filter

Capture HTTP GET only from host 192.168.10.1

tcpdump -i eth1 -nns 1400 -W TEST01.cap host 192.168.10.1 and \( tcp[20:2] = 18245 or tcp[20:2] = 18516 \)

The “tcp[20:2]” tells tcpdump to look at the 20^th byte of the TCP field and get two bytes from there. 18245 => 0×4745 => “GE” as in “GET”. My version of tcpdump only allows for 1,2 or 4 bytes to be compared, so I settled for two. 18516 => 0×4854 = “HT” as in “HTTP”.

 

Filter ICMP

Capture all ICMP packets beside echo-replay and echo-request

tcpdump –i eth1 -nn icmp and 'icmp[0] != 8 and icmp[0] != 0'

Also:

tcpdump –i eth1 -nn icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

 

Filter TOS byte

Display all IP packets with ToS byte NOT 0 (default)

tcpdump –i eth1 -vvnn ip and ip[1]!=0

 

Display all IP packets with DSCP AF19

tcpdump –i eth1 -vvnn ip and ip[1]=76

 

Filter based TTL

Display 100 packets without name resolution/very very very verbose/full packet length

tcpdump -v ip and 'ip[8]<2'

Means look at the 8 byte in the IP packet (starting from 0) and the value of that byte should be less the 2

 

Filter based on TCP Flags

Display TCP segments with TCP SYN or other  flags

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

 

Display TCP segments with TCP SYN only

tcpdump -n tcp and port 80 and 'tcp[tcpflags] == tcp-syn’

 

Display SIP Invitation

Display SIP invitation to SIP server at UDP port 5060

tcpdump -i eth1 -nnvvs 0 udp dst port 5060 and \(udp[8:4] = 1229870665 \)

UDP[8:4]=1229870665 means look in the 8 byte of the UDP segment, take 4 bytes ahead and search the string 1229870665 which in HEX: 49 4e 56 49 which in ASCII: INVI

 

Capture DNS queries

Capture DNS queries [UDP port 53] and show all queries starting with www. And ends with .co.il

tcpdump -i eth1 -nnA  udp port 53 | grep -E "www\..*\.co\.il"

 

 

Full Packet Capture

Display 100 packets without name resolution/very very very verbose/full packet length

tcpdump –I eth1 –nnvvvSs 0 –c 100

 

Port range filter

Display traffic from/to host 192.168.10.1 on TCP port 80 up to 500

tcpdump –I eth1 –nnvv host 192.168.10.1 and tcp portrange 80-500

 

VLAN filter

Display traffic from VLAN 115

tcpdump –I eth1 –nnvv –e vlan 115

Note:  in order to VLAN filter to work we must configure encapsulation on SPAN destination port

monitor session 1 destination interface Gi1/1 encapsulation dot1q

 

Packet size filter

Display all packets [greater or less] then 1024 bytes

tcpdump –I eth1 –nnvv [greater|less] 1024

 

L2TP packet

Capture L2TP packets with IP address 80.74.127.224 (0x504a7fe0) and IP address  85.131.134.34 (0x55838622)

tcpdump 'udp[30:4] = 0x504a7fe0' and 'udp[34:4] = 0x55838622' -nn

We need to convert HEX to decimal in order to revel the IP address

 

Broadcast/Multicast filter

Display in quick mode all broadcast or multicast traffic

tcpdump –i eth1 –nnq [broadcast|multicast]

 

Write to file

Capture full traffic from host 192.168.10.254 and write into file name CAPTURE001

tcpdump –i eth1 –nnvvXSs 0 host 192.168.10.254 –w CAPTURE001.cap

 

Capture traffic from network 172.16.0.0/24 and write into file name NET-1 with size no larger then 5MB

tcpdump –i eth1 –nnvvXSs 0 net 172.16.0.0/24 –C 5 –w NET-1.cap

 

Capture traffic from network 172.16.0.0/24 and write into 3 files name NET5 with size no larger than 10MB

tcpdump –i eth1 –nnvvXSs 0 net 172.16.0.0/24 –C 10 –W 3 –w NET5.cap

 

Capture traffic from network 192.168.10.0/24 and write into 2 files name FILE01 were each file will contain 2 minutes capture

tcpdump –i eth1 –nnvvXSs 0 net 192.168.10.0/24 –G 120 –W 2 –w FILE01.cap

 

Read from file

Read from file name CAPTURE001.cap

tcpdump –r CAPTURE001.cap

 

 

Bridge-group

Here is a scenario where I had a Cisco 8xx ISR device which connected to an ADSL line, now the ADSL is no more than 100Mbps (actually 15/1Mbps) so i connected it to port FE 8, which is marked with B which leave me with 8 more FE ports and 1 GE port.

The problem is that the all 8 FE ports are Ethernet switch ports where the GE port is WAN port, so how can I utilize the GE port and make it part of my LAN?

If I have a NAS server which I want to connect to the GE port for using 1000Mbps interface and still be part of my network?

The solution is using bridge-group which allows me to connect different ports/interfaces into the same broadcast domain.

First configure bridge-group on the router:

bridge 1 protocol ieee bridge 1 route ip

Then I had to remove all configurations from VLAN 1 and to configure only the following:

interface Vlan1  no ip address  bridge-group 1

Configure the same on the GE port:

interface GigabitEthernet0  no ip address  load-interval 30  duplex auto  speed auto  bridge-group 1

Then create a BVI (Bridge Virtual Interface) which bond L3 configuration for this bridge-group:

interface BVI1  ip address 192.168.10.1 255.255.255.0  no ip redirects  no ip unreachables  no ip proxy-arp  ip nat inside  load-interval 30

The result, Marked with A:

 The GE port is part of the broadcast domain of VLAN 1 which configured on all 8 FE ports.

BGP Dampening

Let’s take the following example:

Bgp dampening 10 2500 5000 60

The parameters are as follow:

Half-life: 10 min.

Reuse: 2500 pts.
Suppress-limit: 5000 pts.
Maximum-suppress-time: 60 min.
Maximum Penalty: 30000 pts.

Each route flap will cost 1000 pts., the route will be suppressed (unusable) when the penalty reach behind 5000 pts. (Suppress-limit), every 10 minutes the penalty will reduced by half (Half-life). The maximum time a route can be suppressed is 60 minutes (Maximum-suppress-time) which will occur when the route will reach the maximum points (Maximum penalty).

How to calculate maximum penalty:

Max-penalty = reuse-limit x 2(max-suppress-time / half-life)

 

OSPF over Frame-Relay - Part 1

Before we begin let’s review OSPF network types and the characteristic of each one of them:

Network Type	LSA Flooding	DR/BDR Election	Timers	Neighbor Statement	Modify Next-hop	Default
Broadcast	Multicast	Yes	10/40	No	No	Ethernet
NBMA	Unicast	Yes	30/120	Yes	No	Default on Frame-Relay Physical and Point-to-Multipoint
Point-to-Point	Multicast	No	10/40	No	No	Default on Frame-Relay Point-to-Point sub-interface
Point-to-Multipoint	Multicast	No	30/120	No	Yes	Ideal for NBMA
Point-to-Multipoint Non-broadcast	Unicast	No	30/120	Yes	Yes
Loopback		No	30/120	No	No

So in this lab I will try to deal with each one of the network types and for that I will use a hub-and-spoke topology over frame-relay were R1 is the hub and R2 and R3 are the spokes.

Lab topology:

FRS is configured as frame-relay switch:

interface Serial0/0  no ip address  encapsulation frame-relay  clock rate 128000  frame-relay lmi-type cisco  frame-relay intf-type dce  frame-relay route 102 interface Serial0/1 201  frame-relay route 103 interface Serial0/2 301 ! interface Serial0/1  no ip address  encapsulation frame-relay  clock rate 128000  frame-relay lmi-type cisco  frame-relay intf-type dce  frame-relay route 201 interface Serial0/0 102 ! interface Serial0/2  no ip address  encapsulation frame-relay  clock rate 128000  frame-relay lmi-type cisco  frame-relay intf-type dce  frame-relay route 301 interface Serial0/0 103 <OUTPUT OMMITED>

First scenario:

R1 is configured with multi-point network type over sub-interface (s0/0.123) while R2 and R3 are configured with point-to-point network type over sub-interface (s0/0.123).

After configuring OSPF on all serial interfaces for all 3 routers nothing happens.

R1 default network type for multipoint is non-broadcast:

R1#sh ip ospf interface serial 0/0.123 Serial0/0.123 is up, line protocol is up   Internet Address 10.1.123.1/24, Area 0   Process ID 1, Router ID 192.168.12.1, Network Type NON_BROADCAST, Cost: 64   Transmit Delay is 1 sec, State WAITING, Priority 1   No designated router on this network   No backup designated router on this network   Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5     oob-resync timeout 120     Hello due in 00:00:23     Wait time before Designated router selection 00:00:53   Supports Link-local Signaling (LLS)   Index 2/2, flood queue length 0   Next 0x0(0)/0x0(0)   Last flood scan length is 0, maximum is 0   Last flood scan time is 0 msec, maximum is 0 msec   Neighbor Count is 0, Adjacent neighbor count is 0   Suppress hello for 0 neighbor(s)

While R2 and R3 are using point-to-point network type:

R2#sh ip ospf interface serial 0/0.123 Serial0/0.123 is up, line protocol is up   Internet Address 10.1.123.2/24, Area 0   Process ID 1, Router ID 192.168.22.1, Network Type POINT_TO_POINT, Cost: 64   Transmit Delay is 1 sec, State POINT_TO_POINT,   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     oob-resync timeout 40     Hello due in 00:00:07   Supports Link-local Signaling (LLS)   Index 2/2, flood queue length 0   Next 0x0(0)/0x0(0)   Last flood scan length is 0, maximum is 0   Last flood scan time is 0 msec, maximum is 0 msec   Neighbor Count is 0, Adjacent neighbor count is 0   Suppress hello for 0 neighbor(s)

Also note that the timers are different, so in order to fix this I will need to change R1 network type to point-to-multipoint and to adjust the timers, to be similar to those on R2 and R3, and to configure frame-relay mapping to each router accordingly with the broadcast statement:

R1#conf t R1(config)#int s0/0.123 R1(config-subif)#ip ospf network point-to-multipoint R1(config-subif)#ip ospf hello-interval 10 R1(config-subif)#ip ospf dead-interval 40 R1(config-subif)#frame-relay map ip 10.1.123.2 102 broadcast R1(config-subif)#frame-relay map ip 10.1.123.3 103 broadcast

And here we go:

R1#sh ip ospf neighbor Neighbor ID     Pri   State           Dead Time   Address         Interface 192.168.32.1      0   FULL/  -        00:00:32    10.1.123.3      Serial0/0.123 192.168.22.1      0   FULL/  -        00:00:31    10.1.123.2      Serial0/0.123