Monthly Archives: January 2016

Useful tcpdump Commands

Tcpdump is a network debugging tool that runs under the command line. It allows the user to intercept and display TCP/UDP/IP and other packets being transmitted or received over a network to which the computer is attached. Running tcpdump by it’s self will begin recording traffic that is seen on the wire printing the output to the screen.

I found this list by @r_paranoid on their website Rationally Paranoid. Very Very useful set of tcpdump commands that can assist with troubleshooting and/or when a packet capture is needed.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

Additionally cyberciti.biz has a great man page on tcpdump commands

Share this:
Share

Clearing IDLE TTY Sessions in Junos

This is going to be a quick post on how you can forcibly disconnect idle and/or other users by using their PID or TTY session.

This is very useful, when you have too many simultaneous concurrent connections (normally when you having some issue) or because of some dodgy connections you get from time to time, and your terminal gets timed out in the middle of configuring and you have to reconnect. To be then greeted with:

[[email protected] ~]$ ssh 10.1.0.243
Password:
--- JUNOS 14.1X53-D25.2 built 2015-04-01 01:53:36 UTC
{master:0}
[email protected]> edit 
Entering configuration mode
Users currently editing the configuration:
  marquk01 terminal p0 (pid 41263) on since 2015-05-04 11:22:50 UTC, idle 02:01:13
      {master:0}[edit firewall]
  marquk01 terminal p1 (pid 41306) on since 2015-05-04 12:02:30 UTC, idle 01:16:58
      {master:0}[edit]

If you’re like me and find this annoying. There is a simple way of; firstly, showing all the current concurrent session on the device and then how you can disconnect them.

To show all the user sessions that are on the switch, you can run the command show system users no-resolve:

[email protected]> show system users no-resolve 
fpc0:
--------------------------------------------------------------------------
 1:26PM  up 33 days,  6:56, 3 users, load averages: 0.00, 0.01, 0.00
USER     TTY      FROM                              [email protected]  IDLE WHAT
marquk01 p0       10.1.0.17                        11:22AM  2:03 -cli (cli)    
marquk01 p1       10.1.0.17                        12:02PM  1:19 -cli (cli)    
marquk01 p2       10.1.0.17                        1:24PM      - -cli (cli)

This command provides information on:

  • Connected Users
  • TTY session
  • IP address each user has connected from
  • Login Times
  • Idle Timer
  • User’s method of remote access

We can see that I have 3 sessions currently but only one is active, as 2 connection have IDLE times.

To clear to two session we can either use the TTY session number, shown in the output or by the process ID (pid).

To clear by the TTY session, I had to need to run the command request system logout terminal {TTY session} to disconnect the first idle session.

[email protected]> request system logout terminal p0
{master:0}
[email protected]> show system users no-resolve         
fpc0:
--------------------------------------------------------------------------
 1:27PM  up 33 days,  6:57, 2 users, load averages: 0.23, 0.06, 0.02
USER     TTY      FROM                              [email protected]  IDLE WHAT
marquk01 p1       10.1.0.17                        12:02PM  1:19 -cli (cli)    
marquk01 p2       10.1.0.17                        1:24PM      - -cli (cli)

The other method would be to clear the user’s pid number. You can find their pid either; in Operational mode, by using the TTY session number running the command show system processes | match {TTY session} (you will need to look for the pid with mgd process) or in Configuration mode, by running the command status:

[email protected]> show system processes | match p1 
41299  ??  Is     0:00.17 sshd: [email protected] (sshd)
41306  ??  Is     0:00.06 mgd: (mgd) (marquk01)/dev/ttyp1 (mgd)
41307  p1  Ss+    0:00.47 -cli (cli)

{master:0}
[email protected]> edit 
Entering configuration mode

{master:0}[edit]
[email protected]# status 
  marquk01 terminal p1 (pid 41306) on since 2015-05-04 12:02:30 UTC, idle 01:20:58
      {master:0}[edit]

Once I found the pid number, I ran the command request system logout pid {pid number} to disconnect the second idle session.

[email protected]> request system logout pid 41306

{master:0}
[email protected]> show system users no-resolve       
fpc0:
--------------------------------------------------------------------------
 1:32PM  up 33 days,  7:02, 1 user, load averages: 0.00, 0.02, 0.00
USER     TTY      FROM                              [email protected]  IDLE WHAT
marquk01 p2       10.1.0.17                        1:24PM      - -cli (cli)

And that’s how you clear idle TTY connections in Junos 🙂

Share this:
Share