Log in

Maschinenraum

Fortgeschrittene

Knotenbetreibende

Maschinenraum

You are here: Maschinenraum » tcpdump Filter

tcpdump Filter

28 Jul 2020 - 20:15 | Version 12 |

IcmpV6 

tcpdump -n -i $IFACE icmp6 and ip6[40] == XX
  • unreachable: 1
  • too-big: 2
  • time-exceeded: 3
  • echo-request: 128
  • echo-reply: 129
  • router-solicitation: 133
  • router-advertisement: 134
  • neighbor-solicitation: 135
  • neighbor-advertisement: 136

batman 

tcpdump -n -i ffh ether proto 0x4305 and ether[14] == 0xXX

d = [
['ogm', '0x00'],
['broadcast', '0x01'],
['networkcoding', '0x02'],
['ogmv2', '0x03'],
['unicast', '0x40'],
['unicast_frag', '0x41']
]
for e,f in d:
print(f'type="batman",type="{e}",dir="inbound":ether proto 0x4305 and ether[14] = {f} and inbound')
print(f'type="batman",type="{e}",dir="inbound":ether proto 0x4305 and ether[14] = {f} and outbound')

batman translation table

source of tt responses 

tshark -r foo.pcap  -Y "(batadv.tvlv.tt.flags.type == 0x4)" \
 -e "batadv.unicast_tvlv.src" -Tfields | sort | uniq -c | sort -n

destination of tt responses 

tshark -r foo.pcap  -Y "(batadv.tvlv.tt.flags.type == 0x4)" \
 -e "batadv.unicast_tvlv.dst" -Tfields | sort | uniq -c | sort -n

source of tt responses with "isolation" flag (this flag should be unused in gluon) 

tshark -r foo.pcap  -Y "(batadv.tvlv.tt.flags.type == 0x4) \
  && (batadv.tvlv.tt.change.flags.isolate == 1)" \
  -e "batadv.unicast_tvlv.src" -Tfields | sort | uniq -c | sort -n

destination of tt responses from supernodes with "isolation" flag (this flag should be unused in gluon) 

tshark -r foo.pcap  -Y "(batadv.tvlv.tt.flags.type == 0x4) \
  && (batadv.tvlv.tt.change.flags.isolate == 1) \
  && (batadv.unicast_tvlv.src[0:3] == 88:e6:40)" \
  -e "batadv.unicast_tvlv.dst" -Tfields | sort | uniq -c | sort -n

destination of tt responses with "isolation" flag (this flag should be unused in gluon) 

tshark -r foo.pcap  -Y "(batadv.tvlv.tt.flags.type == 0x4) \
  && (batadv.tvlv.tt.change.flags.isolate == 1)" \
  -e "batadv.unicast_tvlv.dst" -Tfields | sort | uniq -c | sort -n

when having a dump of e.g. "sn05", then it would be a good idea to filter for the eth.dst of sn05, so only incomming responses are shown. 

tshark -r foo.pcap  -Y "(batadv.tvlv.tt.flags.type == 0x4) \
  && (batadv.tvlv.tt.change.flags.isolate == 1) \
  && (eth.dst == 88:e6:40:20:50:01)" \
  -e "eth.src" -Tfields | sort | uniq -c | sort -n

Roaming 

tshark -i mesh_fastd -Y "(batadv.tvlv.tt.flags.type == 0x4) &&batadv.tvlv.tt.change.flags.roam == 1" -w foo.pcap

Roaming addr 
batadv.tvlv.tt.change.addr == 60:d9:c7:0a:c4:2e

View all roaming live: 
tshark -i mesh_fastd  -Y "batadv.tvlv.tt.change.flags.roam == 1" -T fields -e batadv.tvlv.tt.change.addr

Overview (show all packets with all fields) 

tshark … -V

MAC Adressen anzeigen 

tshark -i eth0 -nn -e ip.src -e eth.src -Tfields

Ausgehende MAC Adressen anzeigen 

tcpdump -e -n -i ens2f0 outbound and not \(ether host 00:9c:02:3c:26:26 and vlan\)

DHCP

In der (falschen) Annahme, dass Option 53 als erstes kommt, kann man DISCOVER, OFFER, REQUEST und ACK hiermit filtern: 
(port 67 or port 68) and udp[247:4] = 0x63350103

Sitemap

Archiv
Freifunk
Main
Maschinenraum
System

Impressum -- Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
This website is using cookies. More info. That's Fine