Tuesday, July 04, 2006

tcpdump filter

these two weeks back, i was playing alot with network tools. one of the tools is tcpdump . usually i tend to ignore any sort of tcpdump filters trick. i just fired up my tcpdump with basic option like "-vv -n -s 1515 -x". but this is not a clean options for capturing packets. in this situation, what i plan to do is to avoid any non tcp traffics, traffics flying out thru my nic and to avoid traffics coming from unsuspicious hosts. so here is the tcpdump filter[note to myself,\0/].

tcpdump -vv -n -s 1515 -x tcp and 'port !22' and not host and not host

noticed here that tcpdump using bpf's style on filtering the filters. tcp option is only to capture tcp traffics, not host is an option not to capture traffics coming from this host. in this example, i can avoid capturing traffics from my host and not 'port !22' option to avoid any traffics coming from port 22:ssh. noticed here when using '!' u need to put an quote '' between !.'!' is just another reserved char in tcpdump. so, be careful when using any of tcpdump reserved char. actually, this is a basic command for tcpdump. there are alot of tcpdump tricks and tips out there. the best place to learn more about tcpdump is www.tcpdump.org.

at the other hand of network tools i played are scapy, ruby libpcap and rubyforger. huhh, maybe i'll reserved these tools for next post.heh.:D

No comments: