Linux tcpdump and ngrep
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
tcpdump
Filter a host
sudo tcpdump -q -i any host 97.22.22.22
Expressions and/or logical operators
tcpdump -qn -i any -p -e "(dst port 9443 or \
dst port 22 or \
dst port 8672) and \
(src net 10.34.96.128/25 or \
src net 10.34.97.128/25 or \
src net 10.34.98.128/25)"
tcpdump -qn -i any -p -e "dst port 22 and (src net 10.34.96.128/25 or src net 10.34.97.128/25 or net 10.34.98.128/25)"
# -q less verbose, -n no-dns, -e expression
# -p (--no-promiscuous-mode) Don't put the interface into promiscuous mode
ngrep
ngrep is network packet analyzer tool, It is a grep-like tool applied to the network layer – it matches traffic passing over a network interface with tcpdump like arguments syntax. It supports IPv4/6, TCP, UDP, ICMPv4/6, IGMP as well as Raw.
Install
sudo apt install ngrep sudo yum install ngrep sudo dnf install ngrep
Examples
sudo ngrep -q '.' 'icmp' #match all ping requests on the default working interface
piotr@ubuntu:~/git$ sudo ngrep -q '.' 'icmp' │piotr@ubuntu:~/git$ ping wp.pl -c 2
interface: ens33 (192.168.30.0/255.255.255.0) │PING wp.pl (212.77.98.9) 56(84) bytes of data.
filter: (ip or ip6) and ( icmp ) │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=1 ttl=128 time=73.4 ms
match: . │64 bytes from www.wp.pl (212.77.98.9): icmp_seq=2 ttl=128 time=88.7 ms
│
I 192.168.30.136 -> 212.77.98.9 8:0 │--- wp.pl ping statistics ---
......w[....`....................... !"#$%&'()*+,-./01234567 │2 packets transmitted, 2 received, 0% packet loss, time 1002ms
│rtt min/avg/max/mdev = 73.417/81.107/88.798/7.695 ms
I 212.77.98.9 -> 192.168.30.136 0:0 │piotr@ubuntu:~/git$
......w[....`....................... !"#$%&'()*+,-./01234567 │
│
I 192.168.30.136 -> 212.77.98.9 8:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
│
I 212.77.98.9 -> 192.168.30.136 0:0 │
......w[............................ !"#$%&'()*+,-./01234567 │
sudo ngrep -q '.' 'host google.com' # match only traffic going to a particular destination site sudo ngrep -q '^GET .* HTTP/1.[01]' #monitor which files your browser is requesting sudo ngrep port 25 #destination port 25 sudo ngrep -d any 'error' port 514 #monitor any network-based syslog traffic for the occurrence of the word “error” sudo ngrep port 80 #match all requests to the destination host sudo ngrep -W byline port 80 #match all requests to the destination host - prettier format sudo ngrep -t -W byline port 80 #print a timestamp when every packet is matched # -p don't put the interface into promiscuous mode # -N show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols)
BCC Linux-ish DTrace
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above. Install
# Amazon Linux 2 sudo amazon-linux-extras enable BCC sudo yum install kernel-devel-$(uname -r) sudo yum install bcc # Tools listing https://github.com/iovisor/bcc/tree/master/tools