Oct
26
2016
0
Time to read
less than 1 minute
Read so far
Wireshark and tcpdump are extremely powerful network troubleshooting tools. Here are some command examples that may be useful.
Show ARP from a specific MAC:
Show all traffic to a specific IP:
Show all traffic to/from a specific IP:
Show only SYN packets:
Show all web traffic:
Capture agent specific traffic
Capture only from a single MAC
Capture agent specific traffic
Capture only traffic to/from 1.2.3.4
Capture only web traffic to/from 1.2.3.4
See all audit traffic for one endpoint:
Capture 4096 bytes of HTTP traffic to/from 10.100.0.1, decode it as much as possible, and save it to /tmp/http.cap
Look for reporter traffic
Wireshark Display Filters
Show all ARP:arp
Show ARP from a specific MAC:
arp.src.hw_mac == 00:16:D3:4A:CE:7D
Show all traffic to a specific IP:
ip.src == 10.14.1.16
Show all traffic to/from a specific IP:
ip.addr == 10.14.1.16
Show only SYN packets:
tcp.flags.syn
Show all web traffic:
tcp.port == 80
Capture agent specific traffic
udp.port == 11168 or udp.port == 11168 or udp.port == 11688 or tcp.port == 11698
Wireshark Capture Filters
Capture just audit traffictcp port 11698
Capture only from a single MAC
ether host 00:16:D3:4A:CE:7D
Capture agent specific traffic
udp port 11168 or udp port 11168 or udp port 11688 or tcp port 11698
Capture only traffic to/from 1.2.3.4
host 1.2.3.4
Capture only web traffic to/from 1.2.3.4
host 1.2.3.4 and tcp port 80
tcpdump Capture Filters
See all SSH traffic not from designated host:tcpdump -n port 22 and not host 216.58.41.139
See all audit traffic for one endpoint:
tcpdump -n -i any port 11698 and host 156.99.137.37
Capture 4096 bytes of HTTP traffic to/from 10.100.0.1, decode it as much as possible, and save it to /tmp/http.cap
tcpdump -X -vv -s 4096 -w /tmp/http.cap host 10.100.0.1 and port 80
Look for reporter traffic
/usr/sbin/tcpdump -n udp port 11688
- Log in to post comments