Linux tcpdump and ngrep
Jump to navigation
Jump to search
tcpdump
Filter a host
sudo tcpdump -q -i any host 97.22.22.22
Expressions and/or logical operators
tcpdump -qn -i any -p -e "(dst port 9443 or \
dst port 22 or \
dst port 8672) and \
(src net 10.34.96.128/25 or \
src net 10.34.97.128/25 or \
src net 10.34.98.128/25)"
tcpdump -qn -i any -p -e "dst port 22 and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)"
# -q less verbose, -n no-dns, -e expression
# -p (--no-promiscuous-mode) Don't put the interface into promiscuous mode
ngrep
ngrep is network packet analyzer tool, It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface with tcpdump like arguments syntax. It supports IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw.
Install
sudo apt install ngrep sudo yum install ngrep sudo dnf install ngrep
Examples
sudo ngrep -q '.' 'icmp' #match all ping requests on the default working interface
piotr@ubuntu:~/git$ sudo ngrep -q '.' 'icmp' │piotr@ubuntu:~/git$ ping wp.pl -c 2
interface: ens33 (192.168.30.0/255.255.255.0) │PING wp.pl (212.77.98.9) 56(84) bytes of data.
filter: (ip or ip6) and ( icmp ) │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=1 ttl=128 time=73.4 ms
match: . │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=2 ttl=128 time=88.7 ms
│
I 192.168.30.136 -> 212.77.98.9 8:0 │--- wp.pl ping statistics ---
......w[....`....................... !"#$%&'()*+,-./01234567 │2 packets transmitted, 2 received, 0% packet loss, time 1002ms
│rtt min/avg/max/mdev = 73.417/81.107/88.798/7.695 ms
I 212.77.98.9 -> 192.168.30.136 0:0 │piotr@ubuntu:~/git$
......w[....`....................... !"#$%&'()*+,-./01234567 │
│
I 192.168.30.136 -> 212.77.98.9 8:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
│
I 212.77.98.9 -> 192.168.30.136 0:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
sudo ngrep -q '.' 'host google.com' # match only traffic going to a particular destination site sudo ngrep -q '^GET .* HTTP/1.[01]' #monitor which files your browser is requesting sudo ngrep port 25 #destination port 25 sudo ngrep -d any 'error' port 514 #monitor any network-based syslog traffic for the occurrence of the word “error” sudo ngrep port 80 #match all requests to the destination host sudo ngrep -W byline port 80 #match all requests to the destination host - prettier format sudo ngrep -t -W byline port 80 #print a timestamp when every packet is matched # -p don't put the interface into promiscuous mode # -N show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols)
BCC Linux-ish DTrace
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above. Install
# Amazon Linux 2 sudo amazon-linux-extras enable BCC sudo yum install kernel-devel-$(uname -r) sudo yum install bcc # Tools listing https://github.com/iovisor/bcc/tree/master/tools