Network analysis tool

Table of Contents

tcptrack1

Overview

Basically, tcptrack is a sniffer which will show the information about TCP connections on a specific interface.

Simple usage

# tcptrack -i <networkInterface>
# tcptrack -i eth0 port 22

tcpdump

Overview

Tcpdump is the premier network analysis tool for information security professionals.

Basic options

-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 : Listen on the eth0 interface.
-D : Show the list of available interfaces
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
icmp : Only get ICMP packets.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

Simple usage2

  1. Basic communication // see the basics without many options 
    # tcpdump -nS
  2. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help 
    # tcpdump -nnvvS
  3. A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet 
    # tcpdump -nnvvXS
  4. Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet 
    # tcpdump -nnvvXSs 1514

cc











Footnotes: 





1 

http://linux.die.net/man/1/tcptrack




2 

https://danielmiessler.com/study/tcpdump/











Author: Shi Shougang


Created: 2016-01-27 Wed 22:34


Emacs 24.3.1 (Org mode 8.2.10)


Validate