TCPDUMP:
Link2-Advance
The tcpdump utility is a command line packet sniffer with
many features and options.
Refer MAN page for more details:
#man tcpdump
Modifiers:
-n - disable name resolution
-nn disable name and service port resolutions
-i <if_number or vlan>
-c (count) number of packets to capture
-w write(save) the file
-r read the file
-s specify the amount of each packet to capture. use 0
for no limit.
-p capture for a specific flow and its related peer
flow.
Example:
Log on to CLI and start capturing:
Log on to CLI and start capturing:
tcpdump -nni 0.0:nnn -s0 -c 100000 host
<virtual_server_ip> or <pool_member_ip> or <pool_member_ip>
or <pool_member_ip> -w /var/tmp/<working|non-working>.pcap
tcpdump -nni 0.0:nnn -s0 -c 100000 '(port 443 and host
192.168.1.100) or (port 80 and host 10.0.0.1 or 10.0.0.2 or 10.0.0.3)' -w
/var/tmp/<working|non-working>.pcap
Note : To stop the capture, press CTRL-C.
To
select an interface, use the -i flag, as follows:
tcpdump -i <interface>
tcpdump –i <vlan>
For example:
tcpdump -i 2.1
tcpdump -i internal
Disabling
name resolution(use the -n flag):
tcpdump -ni internal
To
save the tcpdump output:
tcpdump -w <filename>
For example:
tcpdump -w dump1.bin
tcpdump >dump1.txt
tcpdump -w dump1.pcap
Reading
tcpdump binary file output:
tcpdump -r <filename>
For example:
tcpdump -r dump1.bin
Filtering
on a host address:
To view all packets that are
traveling
to or from a specific IP address:
tcpdump host <IP address>
traveling from a specific IP
address:
tcpdump src host <IP address>
traveling to a particular IP
address:
tcpdump dst host <IP address>
Same like for ports:
tcpdump port <port number>
tcpdump src port<port number>
tcpdump dst port <port number>
Combining
filters with the 'and' operator:
tcpdump host 10.90.100.1 and port 80
:P
Modifier:
The :p modifier produces large amounts of data and can cause
significant resource utilization. This additional resource demand may cause
poor performance or a system failure if the BIG-IP system is at high resource
utilization. Use this modifier only with very specific filters.
Note: The :p modifier will continue to produce flow
information for the life of the connection. Subsequent tcpdump captures will
reveal flow information from previous tcpdump captures using the :p modifier if
the connection is still active. To clear flow information from previous use,
run the tcpdump command without the :p modifier, using a filter that matches no
information in the flow, and ensure that some traffic has been received by the
BIG-IP system for the flow.
tcpdump -ni 0.0:nnnp -s0 -c 100000 -w /var/tmp/capture.dmp
host <Client IP>
Note: The :p modifier will continue to produce flow
information for the life of the connection. Subsequent tcpdump captures will
reveal flow information from previous tcpdump captures using the :p modifier if
the connection is still active. To clear flow information from previous use,
run the tcpdump command without the :p modifier, using a filter that matches no
information in the flow, and ensure that some traffic has been received by the
BIG-IP system for the flow.
Refer the below link for more information:
No comments:
Post a Comment