There are much more detailed guides out there, but here are the basics.
TCPDUMP
True packet capture capable of generating a PCAP file for wireshark
tcpdump host
{a.b.c.d} -i eth1 -w {filename}.pcap
few examples
tcpdump src a.b.c.d Show all traffic from ip
tcpdump dst a.b.c.d Show all traffic to ip
tcpdump net a.b.c.0/24 Look at traffic to and from 1.2.3.0 network
tcpdump port 123 NTP example
tcpdump udp and dst port 53 specify protocol combined with DNS filter
tcpdump portrange 1000-1100
tcpdump src a.b.c.d Show all traffic from ip
tcpdump dst a.b.c.d Show all traffic to ip
tcpdump net a.b.c.0/24 Look at traffic to and from 1.2.3.0 network
tcpdump port 123 NTP example
tcpdump udp and dst port 53 specify protocol combined with DNS filter
tcpdump portrange 1000-1100
FW MONITOR
Not as verbose/low level as tcpdump but good enough for a quick snapshot
#packets with IP a.b.c.d as SRC or DST
fw monitor -e "accept host(a.b.c.d);"
# all packets between pair of src and dst ips
fw monitor -e "accept src a.b.c.d and dst w.x.y.z;"
# UPD traffic from or to DNS
fw monitor -e "accept udp and (sport=53 or dport=53);"
No comments:
Post a Comment