Tcpdump patterns: Difference between revisions
From TykWiki
Jump to navigationJump to search
No edit summary |
No edit summary |
||
Line 24: | Line 24: | ||
</pre> | </pre> | ||
== Matching DNS Traffic == | |||
To show incoming nsupdate queries run the following: | To show incoming nsupdate queries run the following: | ||
<pre> | <pre> | ||
tcpdump port 53 and 'udp[10] = 0x28' | tcpdump port 53 and 'udp[10] = 0x28' | ||
</pre> | |||
To show servfail replies run the following: | |||
<pre> | |||
tcpdump port 53 and 'udp[11] & 2 = 2' | |||
</pre> | </pre> | ||
Also see [http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt this page] for much more on bit matching with tcpdump. | Also see [http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt this page] for much more on bit matching with tcpdump. |
Revision as of 12:27, 2 August 2009
On http://danielmiessler.com/study/tcpdump_recipes/ I found this nice list:
Show me all URG packets: # tcpdump 'tcp[13] & 32 != 0' Show me all ACK packets: # tcpdump 'tcp[13] & 16 != 0' Show me all PSH packets: # tcpdump 'tcp[13] & 8 != 0' Show me all RST packets: # tcpdump 'tcp[13] & 4 != 0' Show me all SYN packets: # tcpdump 'tcp[13] & 2 != 0' Show me all FIN packets: # tcpdump 'tcp[13] & 1 != 0' Show me all SYN-ACK packets: # tcpdump 'tcp[13] = 18'
Matching DNS Traffic
To show incoming nsupdate queries run the following:
tcpdump port 53 and 'udp[10] = 0x28'
To show servfail replies run the following:
tcpdump port 53 and 'udp[11] & 2 = 2'
Also see this page for much more on bit matching with tcpdump.