Introduction:
Packet sniffer is commonly used to diagnose network-related problems.
The following are the parameters commonly used for Packet sniffer on the appliance:
1.
and = "&&" ; or = "||" ; not = "!"
2.
tcp 、udp、arp、icmp
3.
-i
Listen on interface. (Listen on all interfaces by default)
-l
Put the interface in "monitor mode"
-v
Produce verbose output.
-n
Do not convert host addresses to names.
Signal of output: S (SYN) ; P (PUSH) ; R (RST) ; F (FIN)
Based on the parameters aforementioned, the following are the examples of command:
1.
Sniffer 192.168.1.0/24 's icmp packets and exclude 192.168.1.26
icmp and net 192.168.1.0/24 and ! 192.168.1.26
2.
Sniffer all IPSEC service
proto 50 or proto 51 or port 500 or port 4500
3.
Sniffer 10.10.10.1's traffic on port 1 , exclude icmp and ssh
-i eth0 host 10.10.10.1 and not icmp and not port 22
4.
Sniffer source Ip = 192.168.1.26 or source subnet = 192.168.1.0/24
src 192.168.1.26 ; src net 192.168.1.0/24
5.
Sniffer source port = 21 or destination port = 80
src port 21 ; dst port 80
For the NATed networks, running the command tcpdump using destination IP as a parameter is required if you need to examine the full path of packet flows. For example, to capture ping packets destined for 168.95.1.1 in a NATed network, the following are the commands for your reference:
net dst. IP (e.g., net 168.95.1.1),
subnet (e.g., net 168.95.1.1/32),
host IP (e.g., host 168.95.1.1)
Base on the previous case, the following is the command to capture packets using source IP 192.168.1.26 as a
parameter.
net 192.168.1.26 -lvn
The following command is to capture ping packets from IP 192.168.1.26.
net 192.168.1.26 and icmp -lvn
