{"id":705,"date":"2016-11-14T16:55:06","date_gmt":"2016-11-15T01:55:06","guid":{"rendered":"\/blog\/?p=705"},"modified":"2023-09-21T09:37:54","modified_gmt":"2023-09-21T00:37:54","slug":"tcpdump","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=705","title":{"rendered":"tcpdump"},"content":{"rendered":"\n\u25a0 \uc0ac\uc6a9 \uc608\uc81c<\/strong>

# 10.10.10.46\uc5d0\uc11c 10.10.10.1\ub85c \ud5a5\ud558\ub294 25(SMTP)\ubc88 \ud3ec\ud2b8\uc5d0 \ub300\ud55c \ud2b8\ub798\ud53d\uc744 \ub0b4\uc6a9\uae4c\uc9c0 \uc0c1\uc138\ud788 \ucd9c\ub825\ud55c\ub2e4.
tcpdump -i eth0 -n -q -X \"src host 10.10.10.46 and dst host 10.10.10.1 and port 25\"

# gateway 10.10.10.17\uc744 \uac70\uce58\ub294 ftp\uc5d0 \uad00\ub828\ub41c \ud328\ud0b7\ub4e4\uc744 \ucd9c\ub825
tcpdump 'gateway 10.10.10.17 and ( port ftp or ftp-data )'

# multicast \ud328\ud0b7\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.
tcpdump 'ehter[0] & 1 = 0 and ip[16] >= 224'

# Echo request\/reply\uac00 \uc544\ub2cc ICMP \ud328\ud0b7\ub4e4\uc744 \ubaa8\ub450 \ucd9c\ub825\ud55c\ub2e4.
tcpdump 'icmp[0] != 8 and icmp[0] != 0'

# \ucd9c\ubc1c\uc9c0 \uc8fc\uc18c\uac00 10.10.10.17\uc774\uace0 tcp port 80\uc778 \ud328\ud0b7
tcpdump -i ens33 src 10.10.10.17 and tcp port 22

# \ubaa9\uc801\uc9c0 \uc8fc\uc18c\uac00 10.10.10.40\uc774\uace0 \ubaa9\uc801\uc9c0 \ud3ec\ud2b8\uac00 22
tcpdump dst 10.10.10.40 and dst port 22

# \ucd9c\ubc1c\uc9c0 \uc8fc\uc18c\uac00 10.10.10.1\uc774\uace0 \ubaa9\uc801\uc9c0 \ud3ec\ud2b8\uac00 22 \ub610\ub294 3389\uac00 \uc544\ub2cc \uac83
tcpdump 'src 10.10.10.1 and (not dst port 22 or 3389)'

# SMTP \/ POP3 Email
tcpdump -nn -l port 25 | grep -i 'MAIL FROM\\|RCPT TO'

# Troubleshooting NTP Query and Response
tcpdump dst port 123

# FTP Credentials and Commands
tcpdump -nn -v port ftp or ftp-data

# Extract HTTP User Agents
tcpdump -nn -A -s1500 -l | grep \"User-Agent:\"

# HTTP Get
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

# HTTP Post
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

# Extract HTTP Request URL's
tcpdump -s 0 -v -n -l | egrep -i \"POST \/|GET \/|Host:\"

# Cookies from Server and from Client
tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'


\u25a0 tcpdump options<\/strong>

-a : Network & Broadcast \uc8fc\uc18c\ub4e4\uc744 \uc774\ub984\ub4e4\ub85c \ubc14\uafbc\ub2e4.

-c Number : \uc81c\uc2dc\ub41c \uc218\uc758 \ud328\ud0b7\uc744 \ubc1b\uc740 \ud6c4 \uc885\ub8cc\ud55c\ub2e4.

-d : comile\ub41c packet-matching code\ub97c \uc0ac\ub78c\uc774 \uc77d\uc744 \uc218 \uc788\ub3c4\ub85d \ubc14\uafb8\uc5b4 \ud45c\uc900 \ucd9c\ub825\uc73c\ub85c \ucd9c\ub825\ud558\uace0, \uc885\ub8cc\ud55c\ub2e4.

-dd : packet-matching code\ub97c C program\uc758 \uc77c\ubd80\ub85c \ucd9c\ub825\ud55c\ub2e4.

-ddd : packet-matching code\ub97c \uc22b\uc790\ub85c \ucd9c\ub825\ud55c\ub2e4.

-e : \ucd9c\ub825\ub418\ub294 \uac01\uac01\uc758 \ud589\uc5d0 \ub300\ud574\uc11c link-level \ud5e4\ub354\ub97c \ucd9c\ub825\ud55c\ub2e4.

-f : \uc678\ubd80\uc758 internet address\ub97c \uac00\uae09\uc801 \uc2ec\ubcfc\ub85c \ucd9c\ub825\ud55c\ub2e4. (Sun\uc758 yp server\uc640\uc758 \uc0ac\uc6a9\uc740 \uac00\uae09\uc801 \ud53c\ud558\uc790)

-F file : filter \ud45c\ud604\uc758 \uc785\ub825\uc73c\ub85c \ud30c\uc77c\uc744 \ubc1b\uc544\ub4e4\uc778\ub2e4. \ucee4\ub9e8\ub4dc\ub77c\uc778\uc5d0 \uc8fc\uc5b4\uc9c4 \ucd94\uac00\uc758 \ud45c\ud604\ub4e4\uc740 \ubaa8\ub450 \ubb34\uc2dc\ub41c\ub2e4.

-i device : \uc5b4\ub290 \uc778\ud130\ud398\uc774\uc2a4\ub97c \uacbd\uc720\ud558\ub294 \ud328\ud0b7\ub4e4\uc744 \uc7a1\uc744\uc9c0 \uc9c0\uc815\ud55c\ub2e4. \uc9c0\uc800\ub418\uc9c0 \uc54a\uc73c\uba74 \uc2dc\uc2a4\ud15c\uc758 \uc778\ud130\ud398\uc774\uc2a4 \ub9ac\uc2a4\ud2b8\ub97c \ub4a4\uc838\uc11c \uac00\uc7a5 \ub0ae\uc740 \ubc88\ud638\ub97c \uac00\uc9c4 \uc778\ud130\ud398\uc774\uc2a4\ub97c \uc120\ud0dd\ud55c\ub2e4. (\uc774 \ub54c loopback\uc740 \uc81c\uc678\ub41c\ub2e4).

-l : \ud45c\uc900 \ucd9c\ub825\uc73c\ub85c \ub098\uac00\ub294 \ub370\uc774\ud130\ub4e4\uc744 line buffering\ud55c\ub2e4. \ub2e4\ub978 \ud504\ub85c\uadf8\ub7a8\uc5d0\uc11c tcpdump\ub85c\ubd80\ud130 \ub370\uc774\ud130\ub97c \ubc1b\uace0\uc790 \ud560 \ub54c, \uc720\uc6a9\ud558\ub2e4.

-n : \ubaa8\ub4e0 \uc8fc\uc18c\ub4e4\uc744 \ubc88\uc5ed\ud558\uc9c0 \uc54a\ub294\ub2e4(port,host address \ub4f1\ub4f1)

-N : \ud638\uc2a4\ud2b8 \uc774\ub984\uc744 \ucd9c\ub825\ud560 \ub54c, \ub3c4\uba54\uc778\uc744 \ucc0d\uc9c0 \uc54a\ub294\ub2e4.

-O : packet-matching code optimizer\ub97c \uc2e4\ud589\ud558\uc9c0 \uc54a\ub294\ub2e4. \uc774 \uc635\uc158\uc740 optimizer\uc5d0 \uc788\ub294 \ubc84\uadf8\ub97c \ucc3e\uc744 \ub54c\ub098 \uc4f0\uc778\ub2e4.

-p : \uc778\ud130\ud398\uc774\uc2a4\ub97c promiscuous mode\ub85c \ub450\uc9c0 \uc54a\ub294\ub2e4.

-q : \ud504\ub85c\ud1a0\ucf5c\uc5d0 \ub300\ud55c \uc815\ubcf4\ub97c \ub35c \ucd9c\ub825\ud55c\ub2e4. \ub530\ub77c\uc11c \ucd9c\ub825\ub418\ub294 \ub77c\uc778\uc774 \uc880 \ub354 \uc9e7\uc544\uc9c4\ub2e4.

-r file : \ud328\ud0b7\ub4e4\uc744 '-w'\uc635\uc158\uc73c\ub85c \ub9cc\ub4e4\uc5b4\uc9c4 \ud30c\uc77c\ub85c \ubd80\ud130 \uc77d\uc5b4 \ub4e4\uc778\ub2e4. \ud30c\uc77c\uc5d0 \"-\" \uac00 \uc0ac\uc6a9\ub418\uba74 \ud45c\uc900 \uc785\ub825\uc744 \ud1b5\ud574\uc11c \ubc1b\uc544\ub4e4\uc778\ub2e4.

-s length: \ud328\ud0b7\ub4e4\ub85c\ubd80\ud130 \ucd94\ucd9c\ud558\ub294 \uc0d8\ud50c\uc744 default\uac12\uc778 68Byte\uc678\uc758 \uac12\uc73c\ub85c \uc124\uc815\ud560 \ub54c \uc0ac\uc6a9\ud55c\ub2e4(SunOS\uc758 NIT\uc5d0\uc11c\ub294 \ucd5c\uc18c\uac00 96Byte\uc774\ub2e4). 68Byte\ub294 IP,ICMP, TCP, UDP\ub4f1\uc5d0 \uc801\uc808\ud55c \uac12\uc774\uc9c0\ub9cc Name Server\ub098 NFS \ud328\ud0b7\ub4e4\uc758 \uacbd\uc6b0\uc5d0\ub294 \ud504\ub85c\ud1a0\ucf5c\uc758 \uc815\ubcf4\ub4e4\uc744 Truncation\ud560 \uc6b0\ub824\uac00 \uc788\ub2e4. \uc774 \uc635\uc158\uc744 \uc218\uc815\ud560 \ub54c\ub294 \uc2e0\uc911\ud574\uc57c\ub9cc \ud55c\ub2e4. \uc774\uc720\ub294 \uc0d8\ud50c \uc0ac\uc774\uc988\ub97c \ud06c\uac8c \uc7a1\uc73c\uba74 \uace7 \ud328\ud0b7 \ud558\ub098\ud558\ub098\ub97c \ucc98\ub9ac\ud558\ub294\ub370 \uc2dc\uac04\uc774 \ub354 \uac78\ub9b4 \ubfd0\ub9cc\uc544\ub2c8\ub77c \ud328\ud0b7 \ubc84\ud37c\uc758 \uc0ac\uc774\uc988\ub3c4 \uc790\uc5f0\ud788 \uc791\uc544\uc9c0\uac8c \ub418\uc5b4 \uc190\uc2e4\ub418\ub294 \ud328\ud0b7\ub4e4\uc774 \ubc1c\uc0dd\ud560 \uc218 \uc788\uae30 \ub54c\ubb38\uc774\ub2e4. \ub610, \uc791\uac8c \uc7a1\uc73c\uba74 \uadf8\ub9cc\ud07c\uc758 \uc815\ubcf4\ub97c \uc783\uac8c\ub418\ub294 \uac83\uc774\ub2e4. \ub530\ub77c\uc11c \uac00\uae09\uc801 \ucea1\ucdb0\ud558\uace0\uc790 \ud558\ub294 \ud504\ub85c\ud1a0\ucf5c\uc758 \ud5e4\ub354 \uc0ac\uc774\uc988\uc5d0 \uac00\uae5d\uac8c \uc7a1\uc544\uc8fc\uc5b4\uc57c \ud55c\ub2e4.

-T type : \uc870\uac74\uc2dd\uc5d0 \uc758\ud574 \uc120\ud0dd\ub41c \ud328\ud0b7\ub4e4\uc744 \uba85\uc2dc\ub41c \ud615\uc2dd\uc73c\ub85c \ud45c\uc2dc\ud55c\ub2e4. type\uc5d0\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \uac83\ub4e4\uc774 \uc62c \uc218 \uc788\ub2e4. rpc(Remote Procedure Call), rtp(Real-Time Applications protocol), rtcp(Real-Time Application control protocal), vat(Visual Audio Tool), wb(distributed White Board)

-S : TCP sequence\ubc88\ud638\ub97c \uc0c1\ub300\uc801\uc778 \ubc88\ud638\uac00 \uc544\ub2cc \uc808\ub300\uc801\uc778 \ubc88\ud638\ub85c \ucd9c\ub825\ud55c\ub2e4.

-t : \ucd9c\ub825\ub418\ub294 \uac01\uac01\uc758 \ub77c\uc778\uc5d0 \uc2dc\uac04\uc744 \ucd9c\ub825\ud558\uc9c0 \uc54a\ub294\ub2e4.

-tt : \ucd9c\ub825\ub418\ub294 \uac01\uac01\uc758 \ub77c\uc778\uc5d0 \ud615\uc2dd\uc774 \uc5c6\ub294 \uc2dc\uac04\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.

-v : \uc880 \ub354 \ub9ce\uc740 \uc815\ubcf4\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.

-vv : '-v' \ubcf4\ub2e4 \uc880 \ub354 \ub9ce\uc740 \uc815\ubcf4\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.

-w : \ucea1\ucdb0\ud55c \ud328\ud0b7\ub4e4\uc744 \ubd84\uc11d\ud574\uc11c \ucd9c\ub825\ud558\ub294 \ub300\uc2e0\uc5d0 \uadf8\ub300\ub85c \ud30c\uc77c\uc5d0 \uc800\uc7a5\ud55c\ub2e4.

-x : \uac01\uac01\uc758 \ud328\ud0b7\uc744 \ud5e5\uc0ac\ucf54\ub4dc\ub85c \ucd9c\ub825\ud55c\ub2e4.

<\/span>\n","protected":false},"excerpt":{"rendered":"

\u25a0 \uc0ac\uc6a9 \uc608\uc81c # 10.10.10.46\uc5d0\uc11c 10.10.10.1\ub85c \ud5a5\ud558\ub294 25(SMTP)\ubc88 \ud3ec\ud2b8\uc5d0 \ub300\ud55c \ud2b8\ub798\ud53d\uc744 \ub0b4\uc6a9\uae4c\uc9c0 \uc0c1\uc138\ud788 \ucd9c\ub825\ud55c\ub2e4.tcpdump -i eth0 -n -q -X “src host 10.10.10.46 and dst host 10.10.10.1 and port 25” # gateway 10.10.10.17\uc744 \uac70\uce58\ub294 ftp\uc5d0 \uad00\ub828\ub41c \ud328\ud0b7\ub4e4\uc744 \ucd9c\ub825tcpdump ‘gateway 10.10.10.17 and ( port ftp or ftp-data )’ # multicast \ud328\ud0b7\ub4e4\uc744 \ucd9c\ub825\ud55c\ub2e4.tcpdump ‘ehter[0] & 1 = 0 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[],"class_list":["post-705","post","type-post","status-publish","format-standard","hentry","category-computing_network"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=705"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/705\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}