Cara Guna Tcpdump CentOS / RHEL

TCPdump merupakan satu ‘tool’ yang sangat ‘powerful’ untuk ‘capture’ atau ‘sniffing’ paket. Tool ini sangat berguna untuk tujuan ‘troubleshooting’ sebarang masalah berkaitan dengan ‘network’ atau ‘connectivity’ ke destinasi host.

Cara install tcpdump untuk CentOS/RHEL :

[root]yum install -y tcpdump

192.168.1.1 – LAN interface
192.168.8.144 – WAN interface

view available portsudo tcpdump -D

[root@server ~]# tcpdump -D
1.enp0s3
2.enp0s8
3.nflog (Linux netfilter log (NFLOG) interface)
4.nfqueue (Linux netfilter queue (NFQUEUE) interface)
5.usbmon1 (USB bus number 1)
6.any (Pseudo-device that captures on all interfaces)
7.lo [Loopback]
view live traffic untuk port enp0s3tcpdump -ni enp0s3

[root@server ~]# tcpdump -ni enp0s3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:01:41.352027 IP 192.168.8.144.ssh > 192.168.8.143.58829: Flags [P.], seq 495246365:495246541, ack 1431358566, win 291, length 176
06:01:41.352310 IP 192.168.8.143.58829 > 192.168.8.144.ssh: Flags [.], ack 176, win 8207, length 0
06:01:41.352764 IP 192.168.8.144.ssh > 192.168.8.143.58829: Flags [P.], seq 176:368, ack 1, win 291, length 192
live traffic untuk destinasi 8.8.8.8
(ping dari host 192.168.1.2)
tcpdump -ni enp0s3 host 8.8.8.8

[root@server ~]# tcpdump -ni enp0s8 host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
07:32:22.209437 IP 192.168.1.2 > 8.8.8.8: ICMP echo request, id 2, seq 0, length 80
07:32:22.244924 IP 8.8.8.8 > 192.168.1.2: ICMP echo reply, id 2, seq 0, length 76
07:32:22.255870 IP 192.168.1.2 > 8.8.8.8: ICMP echo request, id 2, seq 1, length 80
07:32:22.293688 IP 8.8.8.8 > 192.168.1.2: ICMP echo reply, id 2, seq 1, length 7
live traffic untuk destinasi 8.8.8.8 port 53
(telnet port 53 dari 192.168.1.2)
tcpdump -ni enp0s3 host 8.8.8.8 and port 53

[root@server ~]# tcpdump -ni enp0s8 host 8.8.8.8 and port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
07:37:07.927531 IP 192.168.1.2.22577 > 8.8.8.8.domain: Flags [S], seq 3391776112, win 4128, options [mss 536], length 0
07:37:07.968653 IP 8.8.8.8.domain > 192.168.1.2.22577: Flags [S.], seq 2583730500, ack 3391776113, win 65535, options [mss 1360], length 0
07:37:07.974027 IP 192.168.1.2.22577 > 8.8.8.8.domain: Flags [.], ack 1, win 4128, length 0
07:37:07.974130 IP 192.168.1.2.22577 > 8.8.8.8.domain: Flags [.], ack 1, win 4128, length 0

Capture Traffic dalam format pcap untuk dianalisis menggunakan wireshark (bersambung)…..

Leave a Reply

Your email address will not be published. Required fields are marked *