Pages

Thursday, October 31, 2024

pktcap-uw and tcpdump-uw

List VMs and their uplinks.

netdbg vswitch instance list

Capture DHCP traffic (udp 67, udp 67) n vmnic0 interface and send it to tcpdump to filter DHCP communication. 

pktcap-uw --uplink vmnic1 --capture UplinkRcvKernel,UplinkSndKernel -o - | tcpdump-uw -r - udp port 67 or udp port 68

14:45:46.375602 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:50:56:99:fe:6a (oui Unknown), length 300
14:45:46.376233 IP 192.168.4.5.bootps > 192.168.4.178.bootpc: BOOTP/DHCP, Reply, length 307


Filter TCP Open Connections

This is the tcpdump command to display attempts to open TCP connections (TCP SYN) from IP address 192.168.123.22

pktcap-uw --uplink vmnic4 --capture UplinkRcvKernel,UplinkSndKernel -o - | tcpdump-uw -r - 'src host 192.168.123.22 and tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'

Explanation:

  • -n → Do not resolve hostnames.
  • -i <interface> → Specify the network interface (e.g., eth0).
  • 'src host 192.168.123.22' → Filter packets from the source IP 192.168.123.22.
  • 'tcp[tcpflags] & tcp-syn != 0' → Match packets where the SYN flag is set.
  • 'tcp[tcpflags] & tcp-ack == 0' → Ensure the ACK flag is not set (to exclude SYN-ACK responses).

 

 

No comments:

Post a Comment