tcpdump and some default ports of linux

1. Common port number of HTTP proxy server: 80/8080/3128/8081/9098

2. Common port number of SOCKS proxy protocol server: 1080

3.FTP (File Transfer) Protocol Proxy Server Common Port Number: 21

4.Telnet (Remote Login) Protocol Proxy Server Common Port Number: 23

HTTP server, default port number is 80/tcp (Trojan Executor opens this port)

HTTPS (securely transferring web pages) server, default port number 443/tcp 443/udp

Telnet (unsafe text transfer), default port number is 23/tcp (open port of Trojan Tiny Telnet Server)

FTP, the default port number is 21/tcp (ports opened by Trojan Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash and Blade Runner)

TFTP (Trivial File Transfer Protocol), default port number 69/udp

SSH (secure login), SCP (file transfer), port number redirection, the default port number is 22/tcp

SMTP Simple Mail Transfer Protocol (E-mail), default port number is 25/tcp (Trojan Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, WinSpy all open this port)

POP3 Post Office Protocol (E-mail), default port number 110/tcp

Webshpere application, default port number 9080

webshpere management tool, default port number 9090

JBOSS, default port number 8080

TOMCAT, default port number 8080

WIN2003 remote login, default port number 3389

Symantec AV/Filter for MSE, default port number 8081

Oracle database, default port number 1521

ORACLE EMCTL, default port number 1158

Oracle XDB (XML database), default port number 8080

Oracle XDB FTP service, default port number 2100

MS SQL*SERVER database server, default port number 1433/tcp 1433/udp

MS SQL*SERVER database monitor, default port number 1434/tcp 1434/udp

First use ifconfig to view the network card

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net -w./target.cap

(1)tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the position of the first parameter to filter the type of datagram.
(2)-i eth1: Grab only packets passing through interface eth1
 (3)-t: No timestamp is displayed
 (4)-s 0: The default crawl length is 68 bytes when crawling data packets. Plus - S 0, you can grab the complete package
 (5)-c 100: Grab only 100 packets
 (6) DST port! 22: not grabbing data packets whose target port is 22
 (7)src net the source network address of the packet is
 (8) - W. / target. cap: Save as a cap file for easy analysis with ethereal (wireshark)

tcpdump  -C 1  -w a.cap
 (1)-w a.cap writes the result of grabbing the package into a.cap. The storage path is the current path of the terminal command.
(2)-C 1 If a.cap is larger than 1M, a new file, - C fileSize, in MB

tcpdump -i eth0 -x -s 1024 port 1883
 - x displays a packet
 - s 1024 output message size, if not specified, default display 68 bytes, application layer protocols often can not be displayed

Filter host
- Grab all network data passing through eth1, destination or source address
# tcpdump -i eth1 host
 - Source address
# tcpdump -i eth1 src host
 - Destination address
# tcpdump -i eth1 dst host

Filter Port
- Grab all network data passing through eth1, destination or source port 25
# tcpdump -i eth1 port 25
 - Source Port
# tcpdump -i eth1 src port 25
 - Destination Port
# tcpdump -i eth1 dst port 25

Network filtering
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering
# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

No:!or "not" (remove double quotation marks)
And: & & or "and"
Or: | | or "or"
- Grab all TCP data passing eth1, destination address or port is 80
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host or (dst host'
- Grab all ICMP data passing eth1 with the target MAC address of 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'
- The destination network is 192.168, but the destination host is not TCP data.

# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host'


- Grab SYN Pack Only
# tcpdump -i eth1 'tcp[tcpflags] = tcp-syn'
- Grasp SYN, ACK
# tcpdump -i eth1 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0'
Grasp SMTP Data
# tcpdump -i eth1 '((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))'
The grabbing data area begins with the package of "MAIL", and the hexadecimal system of "MAIL" is 0x4d41494c.
Grasp HTTP GET Data
# tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x47455420'
The hexadecimal number of "GET" is 47455420
 Grab SSH Back
# tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D'
The hexadecimal system of "SSH-" is 0x53482D.

# tcpdump -i eth1 '(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2]
= 0x312E)'Grab the old version of SSH return information, such as "SSH-1.99."


- Grasp DNS Request Data
# tcpdump -i eth1 udp dst port 53
- c parameter is also commonly used for operation and maintenance personnel, because the server with larger traffic depends on manual CTRL+C or not.
Too many, so you can use the - c parameter to specify how many packages to grab.
# time tcpdump -nn -i eth0 'tcp[tcpflags] = tcp-syn' -c 10000 > /dev/null
 The above command calculates how long it takes to grab 10,000 SYN packages, and can determine the approximate number of visits.


Real-time grab the GET package of port number 8000 and write it to GET.log

tcpdump -i eth0 '((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))' -nnAl -w /tmp/GET.log
Practical tcpdump command
  //Look at the local and mysql operation commands note - i any means to monitor all network interfaces, we also choose network interfaces according to their own circumstances
  #tcpdump -i any -w - dst port 3306 |strings  
  //Look at the commands with mysql on the local 58895. Note - i any means to monitor all network interfaces. We need to select network interfaces according to our own circumstances.
  #tcpdump -i any -w - dst port 3306 and src port 58895 |strings  
  //Similarly, you can also use the above commands to view the commands of kafka,etcd,redis,mc, etc., as long as it is a plaintext protocol.
tcpdump Command format
  #tcpdump option filter
    option Give an example -n, -i any etc.
    filter Is the condition of the filter package, for example: tcp, portrange 1-1000, src port 58895, host,
      filter It can be combined, for example:
        dst port 3306 and src port 58895 
        portrange 1-1000 or src port 58895
        not dst port 3306
                  option                  filter
  //Examples: tcpdump-i any-n portrange 1-3306 or portrange 10000-58895
tcpdump option
  //In en2, if not specified, all network interfaces will be searched and monitored on the smallest number of network ports.
  //That's the smallest number on the left of tcpdump-D.
  #tcpdump -i en2   
  //linux 2.2 and above support - i any
  #Tcpdump-i any can listen on all ports
  -n   Don't put it down ip Convert to machine name
  #tcpdump -n
  // - W - / - w to write content somewhere, - means standard output, that is, output to standard output.
  #Tcpdump - W - | strings This is a super useful command to display package data in characters
  // - w.a.cap writes the result of grabbing package into a.cap
  // - C 1 If a.cap is larger than 1M, a new file, - C fileSize, is opened in MB.
  #tcpdump  -C 1  -w a.cap
    -rw-r--r--   1 root  wheel  1000092 Apr 21 21:05 a.cap    //Over 1MB
    -rw-r--r--   1 root  wheel   849388 Apr 21 21:05 a.cap1
  //- r Reads from a file
  #tcpdump -n -r a.cap  
  #Tcpdump-X prints data in hexadecimal and ASCII formats
  #Tcpdump-x prints not only the header, but also the data in the package (in hexadecimal form)
  #Tcpdump-xx prints header, data content in hexadecimal form
  // - A prints out each package in ASCII form
  #tcpdump -A  host   
  // - c 3 indicates withdrawal after receiving three packet s
  #tcpdump -A -c 3  host
    3 packets captured
    65 packets received by filter
    0 packets dropped by kernel
  //Look at the network interfaces on the current machine
  #tcpdump -D
  //- e Prints out the head of the connection layer
  #tcpdump -e
    21:15:27.665159 *:*:60:dc:d0:d9 (oui Unknown) > *:*:07:10:81:36 (oui Unknown), ethertype IPv4 (0x0800), length 79: zj-db0355dembp.lan.51318 > hiwifi.lan.domain: 20430+ A? (37)
  #Tcpdump-j timestamp type can modify the time format of the output, which seems to be not supported by CentOS 6.5
  #Time format supported by tcpdump-J display
  //- Live stdout bufferd. It's useful when you want to see the results on the screen and output them to a file.
  #tcpdump -l 
  //tee is a command that displays dump content on the screen and outputs it to dump.log  
  #tcpdump -l |tee dump.log       
  #tcpdump -l > dump.log &tail -f dump.log  
  //- q is quiect output, printing as little information as possible
  #tcpdump -q 
  //- S prints real, absolute tcp seq no
  #tcpdump -S
    21:33:06.569478 IP *dembp.lan.54864 > ***: Flags [P.], seq 3980049501:3980049596, ack 3916671858, win 4091, options [nop,nop,TS val 1201572125 ecr 1490447193], length 95
  //The default crawl packet length is 65535.
  #tcpdump         //capture sieze 65535
    listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
  //We set this parameter to 256 to reduce the size of the package capture file.
  #tcpdump -s  256    
    listening on pktap, link-type PKTAP (Packet Tap), capture size 256 bytes
  #tcpdump -t Don't Time Stamp
  #Tcpudmp-tt calls timstamp, seconds since 1970-1-1, and microseconds
  #Tcpdump-v prints out detailed results such as ttl
  #Tcpdump-vv prints out more detailed results such as window, checksum, etc.
tcpdump Filter item
  //The - i any option is available in all of the following tests to capture packets on all network interfaces just for testing convenience.
  //Grab the package of the arp protocol, and then host 192.168.199 *. When testing, you need to make an ifconfig instruction in another session.
  //arp can be replaced by tcp,udp, etc.
  #tcpudmp -i any -n arp host 192.168.199  
    22:39:58.991043 ARP, Request who-has tell, length 28
    22:39:58.991059 ARP, Reply is-at a4:5e:60:dc:d0:d9, length 28
  //Grab the package that accesses destination 80 port, and then we do a curl operation.
  #tcpdump -i any -n dst port 80
  22:53:06.041382 IP > Flags [F.], seq 0, ack 1, win 65535, length 0
  //Grab a packet with port 80 on the source
  #tcpdump -i any -n src port 80     
    22:57:48.343422 IP > Flags [.], seq 38478:39918, ack 78, win 193, length 1440
  //Crawl packages with source or target ports of 80
  #tcpdump -i any -n port 80    
    22:58:51.165333 IP > Flags [F.], seq 100439, ack 79, win 193, length 0
    22:58:51.165349 IP > Flags [R], seq 703147494, win 0, length 0
  //Represents data that grabs ports of destination prot between 1 and 80
  #Tcpdump-i any-n DST portrange 1-80 curl and telnet on the other side 
    23:00:13.550006 IP > *.*.248.73.80: Flags [.], ack 71649, win 8012, length 0
    23:01:27.363723 IP > Flags [S], seq 621213649, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1240986522 ecr 0,sackOK,eol], length 0
  //The port of grab source is 20-80 package
  #tcpdump -i any -n src portrange 20-80  
  //Grab ports are 20-80 packages, regardless of source
  #tcpdump -i any -n portrange 20-80  
  //Grab the package destination for
  #Tcpdump-i any DST, then ping, and accessing in browsers
    22:22:17.445872 IP *0355dembp.lan > ICMP echo request, id 26478, seq 0, length 64
    2:22:50.108236 IP  *0355dembp.lan.62371 > Flags [S], seq 2884215363, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1238683151 ecr 0,sackOK,eol], length 0
  //Grab the package destination
  #tcpdump -i any dst
    22:26:46.808706 IP zj-db0355dembp.lan > ICMP echo request, id 31854, seq 0, length 64
  //Grab the package whose destination is 192.168.1. [0-255]
  #Tcpdump-i any DST 192.168.1 can specify ranges
  #ifconfig shows that my local ip is
  //Crawl a package with source 192.168. *. * and use - n only to display ip, not host name. 
  #tcpdump -i any -n src 192.168    
    22:30:50.490355 IP > *.*.*.*.341: Flags [.], ack 56, win 8185, options [nop,nop,TS val 1239157627 ecr 1580310986], length 0
  //Grab 192.168 packages (source or destination)
  #tcpdump -i any -n host 192.168     
    22:38:07.580567 IP *.*.*.*.34186 > Flags [P.], seq 787907565:787907668, ack 871423065, win 126, options [nop,nop,TS val 1580748123 ecr 1239593243], length 103
    22:38:08.453788 IP > *.*.*.*.34186: Flags [P.], seq 9481:10147, ack 5769, win 8179, options [nop,nop,TS val 1239594178 ecr 1580748994], length 666
  //Grab packages less than 800 in length
  #tcpudmp -i any -n less 800 
    21:09:17.687673 IP > *.*.*.*.1900: UDP, length 385
  //Grab packages longer than 800
  #tcpdump -i any -n greater 800   
    21:13:21.801351 IP > *.*.*.*.80: Flags [P.], seq 2155:3267, ack 44930, win 8192, length 1112
  //Grab only tcp packets
  #tcpdump -i any -n tcp   
    1:21:18.777815 IP > *.*.*.*.443: Flags [.], ack 75, win 4093, options [nop,nop,TS val 1269008649 ecr 44997038], length 0
  //Grab only udp packages
  #tcpdump -i any -n udp  
    21:22:48.434449 IP > *.*.*.*.1900: UDP, length 385
  //Crawl only icmp packages, internet control packages
  #tcpdump -i any -n icmp   
    21:25:42.550374 IP > ICMP *.*.*.* unreachable - need to frag (mtu 1480), length 556


Keywords: network ssh ftp Oracle

Added by smerny on Wed, 04 Sep 2019 06:30:27 +0300