Linux tcpdump and ngrep
Jump to navigation
Jump to search
tcpdump
Usage of expressions and | or with subnets
tcpdump -qn -i any -p -e "(dst port 9443 or dst port 22 or dst port 8672) \ and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)" tcpdump -qn -i any -p -e "dst port 22 \ and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)" # -q less verbose, -n no-dns, -p? -e expression
ngrep
ngrep is network packet analyzer tool, It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface with tcpdump like arguments syntax. It supports IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw.
install
sudo apt install ngrep sudo yum install ngrep sudo dnf install ngrep
Examples
sudo ngrep -q '.' 'icmp' #match all ping requests on the default working interface
piotr@ubuntu:~/git$ sudo ngrep -q '.' 'icmp' │piotr@ubuntu:~/git$ ping wp.pl -c 2
interface: ens33 (192.168.30.0/255.255.255.0) │PING wp.pl (212.77.98.9) 56(84) bytes of data.
filter: (ip or ip6) and ( icmp ) │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=1 ttl=128 time=73.4 ms
match: . │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=2 ttl=128 time=88.7 ms
│
I 192.168.30.136 -> 212.77.98.9 8:0 │--- wp.pl ping statistics ---
......w[....`....................... !"#$%&'()*+,-./01234567 │2 packets transmitted, 2 received, 0% packet loss, time 1002ms
│rtt min/avg/max/mdev = 73.417/81.107/88.798/7.695 ms
I 212.77.98.9 -> 192.168.30.136 0:0 │piotr@ubuntu:~/git$
......w[....`....................... !"#$%&'()*+,-./01234567 │
│
I 192.168.30.136 -> 212.77.98.9 8:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
│
I 212.77.98.9 -> 192.168.30.136 0:0 │
......w[............................ !"#$%&'()*+,-./01234567 │