(13) tcpdumps: (no -s 65535 needed on recent tcpdumps)
(a) find dns requests (adjusted for being on hosts in terremark):
sudo tcpdump -i eth1 -c3000 -l -n dst port 53 | grep api
(thepoint@tm22-s00311)
sudo tcpdump -i eth0 -c3000 -l -n port 3133
(b) capture all data:
sudo tcpdump -i eth0 -w /tmp/1.pcap
(c) capture all data except port 22 (SSH):
sudo tcpdump -i eth0 -w /tmp/1.pcap port not 22
(d) capture just dns:
sudo tcpdump -i eth0 -w /tmp/1.pcap port 53
(e) find nfs requests
sudo tcpdump -n -i any -c10000 dst port nfs | grep --line-buffered '"' | cut '-d"' -f2
(f) print HTTP GET requests
sudo tcpdump -A -i eth0 -vvv -s 500 'tcp port 80 and ip[2:2] > 40 and tcp[tcpflags] & tcp-push != 0 and dst port 80' -f
(g) debugging ganglia's gmetad
sudo tcpdump -w /tmp/gmetad.pcap -s 0 -vxli lo src host localhost and dst host localhost and dst portrange 8660-8777
(h) capturing traffic for a particular source subnet
sudo tcpdump -i eth0 -w /tmp/1.pcap src net 50.115.209.0/24
(i) capturing traffic for a particular host with a particular port
sudo tcpdump -i eth0 -w /tmp/1.pcap host 10.20.43.21 and port 22
(j) capture multicast or broadcast
sudo tcpdump -i eth0 -w /tmp/1.pcap -n "multicast or broadcast"
(k) show outbound TCP traffic that is not SSH
sudo tcpdump -i eth0 tcp and src host `ip address show dev eth0 primary | sed -n 's,^ inet ,,p' | sed 's,/.*$,,'` and port not 22
```
Created
October 4, 2018 03:05
-
-
Save erikdw/0670fe94fa6027fbf1ebb6a44efab99c to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment