IP Header len=5*4=20 bytes, and for each line there’s 16 bytes units started from 0 unit. so the ip data starts from 0035 after 20 bytes header.
TCP Header starts after the IP Header in a IP packet, so if the first bytes stand 45 which means IPv4 and 5*4=20 bytes header, then we should count TCP header after first 20 bytes in a IP packet.
tcpdump -s 0 : -s zero will capture entire ethernet header and ip packet.
tcpdump -xX : -x will show ip packet data including link layers in hex;
-X will show ip data in hex and ascii;
so if you want to show data in hex and ascii, just use X is enough.
-n: Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
-r: Read packets from file (which was created with the -w option). Standard input is used if file is “-”.
tcpdump filter syntax expression:
if there’s nothing with the value of length, it means 1 bit [9:1]=;
<value> is Dec unit, so normally we need to first convert original Hex to Dec to fit, if you want to use Hex, please input as type as 0x0f;
ip=6 embedded protocol is TCP
tcp[2:2]=80 destination port is 80
upd[6:2]!=0 udp checksum not zero
icmp=8 echo packet
if you want to pick up any of one offset byte’s bit set, just use ip$128=128, which means 128(Dec)=10000000 & ? =10000000.
The symbol of & means and, which stands for:
0 and 0 = 0
0 and 1 = 0
1 and 0 = 0
1 and 1 = 1
just like a multiply function.
so if we use 1111 to and any byte, we would be able to pick up any bit set we want. e.g: ip&0xf=0x5, or ip&0xf!=5
TCPDUMP on F5
tcpdump -ni /Orange/Vlan_207 -f “ip host 10.240.8.8”
tcpdump -ni /Orange/Vlan_215 -f “port 8905”
config # openssl verify -purpose sslclient -CAfile /config/filestore/files_d/Orange_d/certificate_d/:\:Orange\:Self_BSAPartnerSolutionOrder.crt_1 /tmp/Self_BSAPartnerSolutionOrder.cer
Capture on ACE
- 创建一个兴趣流量的ACL。access-list lulu line 8 extended permit tcp host 10.240.13.134 any
access-list lulu line 16 extended permit tcp host 10.240.13.135 any
- 定义CAPTURE和ACL的相关性。capture test interface vlan 264 access-list lulu bufsize 5000
- 开启CAPTURE。capture test start