tcpdump

http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/
https://www.cyberciti.biz/faq/tcpdump-capture-record-protocols-port/
https://sites.google.com/site/chrelad/notes-1/packetcaptureofallsmtptrafficusingtcpdump
http://www.lafn.org/faq/debug/capture.html
http://www.commandlinefu.com/commands/using/tcpdump
http://www.pc-freak.net/blog/how-to-track-catch-mail-server-traffic-abusers-with-tcpdump/
https://aws.amazon.com/blogs/ses/debugging-smtp-conversations-part-3-analyzing-tcp-packets/
http://blog.serverbuddies.com/tcpdump-command-to-monitor-the-smtp-activity-from-a-ip-or-range-of-ip/ - done reading
http://blog.jasonantman.com/2011/04/using-wireshark-to-capture-packets-from-a-remote-host/

The tcpdump is simple command that dump traffic on a network.

How can we capture traffic from a particular source and write it to file?

tcpdump -i em1 -w MailCapture.pcap -n src 34.194.231.104

How can we capture smtp traffic?

tcpdump -i em1 -w MailCapture.pcap -n tcp and port 25

How can we display DNS traffic?

tcpdump -i eth1 'udp port 53'

How can we display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets?

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

How can we display all FTP session to a particular IP?

tcpdump -i eth1 'dst 202.54.1.5 and (port 21 or 20'

How can we display all HTTP session to a particular IP?

tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'

How can we capture to a file (and use wireshark to display the captured traffic)?

tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80

How can we capture and display MySQL traffic?

tcpdump -c 1000000 -s 1000 -A -n -p port 3306 | grep SELECT | sed 's/\/\*.*\*\///g' | sed 's/.*\(SELECT.*\)/\1/gI' | sort | uniq -c | sort -r -n -k 1,1 | head -5
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License