tcpdump -w trace.cap -p -n -s 0 "udp”- -p : doesn’t start in promiscuous mode, only frames from or to the Asterisk node will be captured,-n : no name resolution, otherwise we will have a lot of DNS queries which is not useful at that stage, we could do name resolution afterwards if needed,
- -s 0 : we get the full frame, not only the first bytes. When working only at the protocol level it is enough to get only the start of each frames, in our case we are requiring the content of the SIP and RTP frames. 0 means getting the whole frame,
- -w output file : all the captured frames will be stored in the file. That way we will be able, afterwards, to analyze the frames from the file. If using ‘-’ as the name of the file, the output is send to the standard output, we will use this afterwards.
- tcpdump not port 22 (to exclude port 22)
- tcpdump not port 143 and not port 25 and not port 22
- tcpdump port 143
- tcpdump host hal9000 (to get data from a specific host on the network)
- tcpdump -i eth1
- tcpdump udp (to specify a protocol )
- tcpdump -l | tee tcpdump_`date +%Y%m%e-%k.%M` (to Save Output for Later)
To dump its output into a binary format which it can read later.
To create a binary file
- tcpdump -w tcpdump_raw_`date +%Y%m%e-%k.%M` ( To create a binary file)
- tcpdump -r tcpdump_raw_YYYMMDD-H.M (To read the created file)
- all packets arriving at or departing from 192.168.0.2
- # tcpdump -n host 192.168.0.2
- To print traffic between 192.168.0.2 and either 10.0.0.4 or 10.0.0.5:
- # tcpdump -n host 192.168.0.2 and \( 10.0.0.4 or 10.0.0.5 \)
- To print all IP packets between 192.168.0.2 and any host except 10.0.0.5:
- # tcpdump ip -n host 192.168.0.2 and not 10.0.0.5
- To print all ftp traffic through internet gateway xx:
- # tcpdump 'gateway xx and (port ftp or ftp-data)'
- To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
- # tcpdump ip and not net localnet
- To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
- # tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'
- To print IP packets longer than 576 bytes sent through gateway xx:
- # tcpdump 'gateway xx and ip[2:2] > 576'
- To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:
- # tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
- To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
- # tcpdump 'icmp[0] != 8 and icmp[0] != 0"
