List interfaces that tcpdump can listen on

tcpdump -D

Turn on "verbose" key in TCPDUMP to see IP and TCP header information

tcpdump -vi eth0

Turn off hostname and port lookup in TCPDUMP

tcpdump -vnni eth0

Tcpdump filter only icmp traffic

tcpdump -nni eth0 icmp

Tcpdump command to filter on ICMP type - capture only ICMP echo request

# tcpdump -nni vlan111 -e icmp[icmptype] == 8

Tcpdump command to filter on ICMP type - capture only ICMP echo reply

# tcpdump -nni vlan111 -e icmp[icmptype] == 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan111, link-type EN10MB (Ethernet), capture size 65535 bytes
12:40:52.569668 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 98: 10.0.0.4 > 10.1.111.10: ICMP echo reply, id 24907, seq 414, length 64
12:40:53.570530 00:10:db:ff:10:02 > 00:07:e9:a5:9b:fa, ethertype IPv4 (0x0800), length 98: 10.0.0.4 > 10.1.111.10: ICMP echo reply, id 24907, seq 415, length 64

Tcpdump filter packets with specified ip identification in ip header

# tcpdump -nr /tmp/tcpdump.pcap -v 'ip[4:2] == 24332'
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
    10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164

更容內容請參考  https://forum.ivorde.com/tcpdump-how-to-to-capture-only-icmp-ping-echo-requests-t15191.html  謝謝.


創作者介紹

經驗交流分享與備忘

Frank 發表在 痞客邦 PIXNET 留言(0) 人氣()