TCP Dump command for capturing only from 2 specific interfaces - tcpdump

Is there any commands or possibilities to use TCP dump command to listen from only 2 specific interfaces simultaneously as something like below, (instead of using "any" option)
tcpdump -i wlan0 AND -i eth0
or
tcpdump -i wlan0 eth0

Related

How to use wireshark to capture mysql query sql clearly

Because we develop using remote Mysql server , so cannot check query sql easily, if use local server you can tail - f general_log_file to see which sql are executed when call some http interface. So I installed a wireshark to capture these query sql send from local. At first I use local mysql to verify it.
The capture filter is
then I executed two query sql in mysql terminal
select version();
select now();
but very disappointing I cannot find these two sql packets in wireshark
I only found these four packets.
But from a post I knew
To filter out the mysql packets you just use the filter ‘mysql‘ or ‘mysql.query != “”‘ when you only want packets that request a query. After that you can add a custom column with the field name ‘mysql.query’ to have a list of queries that where executed.
and the effect is like this
It's convenient to capture only query sql and very clearly displayed these query sql. So how could I use wireshark to implement this?
hi #Jeff S.
I tried your command, please see below
#terminal 1
tshark -i lo0 -Y "mysql.command==3"
Capturing on 'Loopback'
# terminal 2
mysql -h127.0.0.1 -u root -p
select version();
#result: nothing output in terminal 1
and tshark -i lo0 -Y "mysql.command==3" -T fields -e mysql.query is same with tshark -i lo -Y "mysql.command==3" also nothing output. But if I only use tshark -i lo0, it has output
Capturing on 'Loopback'
1 0.000000 127.0.0.1 -> 127.0.0.1 TCP 68 57881 → 3306 [SYN] Seq=0 Win=65535 Len=0 MSS=16344 WS=32 TSval=1064967501 TSecr=0 SACK_PERM=1
2 0.000062 127.0.0.1 -> 127.0.0.1 TCP 68 3306 → 57881 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=16344 WS=32 TSval=1064967501 TSecr=1064967501 SACK_PERM=1
3 0.000072 127.0.0.1 -> 127.0.0.1 TCP 56 57881 → 3306 [ACK] Seq=1 Ack=1 Win=408288 Len=0 TSval=1064967501 TSecr=1064967501
4 0.000080 127.0.0.1 -> 127.0.0.1 TCP 56 [TCP Window Update] 3306 → 57881 [ACK] Seq=1 Ack=1 Win=408288 Len=0 TSval=1064967501 TSecr=1064967501
...
You can use tshark and save to a pcap or just export the fields you're interested in.
To save to a pcap (if you want to use wireshark to view later):
tshark -i lo -Y "mysql.command==3" -w outputfile.pcap
tshark -i lo -R "mysql.command==3" -w outputfile.pcap
-R is deprecated for single pass filters, but it will depend on your version
-i is interface so replace that with whatever interface you are using (e.g -i eth0)
To save to a text file:
tshark -i lo -Y "mysql.command==3" -T fields -e mysql.query > output.txt
You can also use BPF filters with tcpdump (and wireshark pre cap filters). They are more complex, but less taxing on your system if you're capturing a lot of traffic.
sudo tcpdump -i lo "dst port 3306 and tcp[(((tcp[12:1]&0xf0)>>2)+4):1]=0x03" -w outputfile.pcap
NOTE:
*This looks for 03 (similar mysql.command==3) within the TCP payload.
**Since this is a pretty loose filter, I also added 3306 to restrict to only traffic destined for that port.
***The filter is based on your screenshot. I cannot validate it right now so let me know if it doesn't work.
Example Output:
Useful answers here:
https://serverfault.com/questions/358978/how-to-capture-the-queries-run-on-mysql-server
In particular: SoMoSparky's answer of:
tshark -T fields -R mysql.query -e mysql.query
and user1038090's answer of:
tcpdump -i any -s 0 -l -vvv -w - dst port 3306 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
}'
I had similar "problem"
Try to check your mysql ssl
Probably the ssl was turned on hence the traffic was encrypted
You can refer to this post to check the ssl: https://dba.stackexchange.com/questions/36776/how-can-i-verify-im-using-ssl-to-connect-to-mysql
I tried another tshark command from this post, and it could capture query sql from local to remote mysql server.
tshark -i en0 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'
Capturing on 'Wi-Fi'
select version()
select now()
select rand()
but it also output some blank lines between these sql. I tried below command want to remove blank line but failed
tshark -i en0 -d tcp.port==6006,mysql -Y "frame.len>10" -T fields -e mysql.query 'port 6006'
And unfortunately this command cannot support capturing query sql to local mysql(5.7.12).
tshark -i lo -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'
Capturing on 'Loopback'
Nothing output except blank lines.
Wireshark tool supports MySQL protocol:
https://www.wireshark.org/docs/dfref/m/mysql.html
Then config wireshark
a.menu Analyze --> Decode as --> add "field=tcp_port value=3306 current=MySQL"
b.filter ‘mysql‘ or ‘mysql.query != “”‘

tcpdump doesn't captures properly on specific port

I'm in a network and i wanna capture ftp packets from another server in the network but i have a problem with tcpdump about this.
I've used this command :
tcpdump -i eth0 dst X.X.X.X -A and port 21
But it doesn't shows anything! ( i tested and sure that ftp port is 21 )
But if i use this on my server it works properly.
tcpdump -i eth0 -A and port 21
I've this problem when i enter " port " in the command. but if i enter a command without specific port it works and captures properly.
What is the problem?
Thanks.
I don't have enough reputation to ask a question, so this is part question and part insight.
Is the IP you're filtering on the client or the server for the FTP connection?
For the first command, try using src x.x.x.x or just host x.x.x.x and port 21.
For the second command, the "and" is not necessary with the -A flag. This should look more like this:
tcpdump -A -i eth0 port 21
tcpdump -Ai eth0 port 21
Another thing I've seen is if there are vlan tags, normal filtering won't work without adding "vlan and " to your filter. For example:
tcpdump -A -i eth0 "vlan and host x.x.x.x and port 21"
Also keep in mind that FTP uses a control and data connection. The control is over port 21, but the data can vary depending on whether you're using active or passive FTP.

How can I keep Google Chromium from making unrequested outgoing connections?

I'm using the Chromium browser as the display for an embedded openSUSE-based project. Everything's going well, but I just now found out that Chromium is making dozens of connections to various *.ie100.net domains. I know this is Google's safe browsing system kicking in, but in my case this is useless because Chromium is just showing my own embedded server. I also know it isn't nefarious, and won't cause explicit harm, but I'm worried customers will see the traffic and get worried.
I've tried turning off safe browsing by editing .config/chromium/Default/Preferences...
"safebrowsing": {
"enabled": false
},
... but to no avail. I'm also worried that there are other Chromium features that may kick in and send backdoor traffic.
So, how can I tell Chromium to stop making unrequested outgoing connections? Do I need to block it at the system level?
My best solution has been to use iptables to block all outgoing request to ports 80 or 433. Yes, this prevents other browswers from being used in my product, but this isn't a problem for an embedded system.
Here's the script which cleans up any previous rules and then sets up blocking rules:
# Chrome has a nasty habit of connecting to various *.ie100.net domains, probably for
# safe browsing but who knows. Concern is that our customers will see these
# connections and wonder what the heck's going on. So, we block them.
# Kill any previous KILL_CHROME chain. First, get rid of all referencing rules
RULES=$(sudo iptables -L OUTPUT --line-numbers | grep KILL_CHROME | cut -d' ' -f1 | sort -r )
for rule in $RULES; do
sudo iptables -D OUTPUT $rule
done
# Clean out chain
sudo iptables --flush KILL_CHROME
# Remove chain
sudo iptables -X KILL_CHROME
# Now, build new rules. Add new iptables chain KILL_CHROME
sudo iptables -N KILL_CHROME
# Any newly-created outgoing tcp connections on eth0 to port 80 are routed to KILL_CHROME
sudo iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -p tcp --dport 80 -j KILL_CHROME
# Any newly-created outgoing tcp connections on eth0 to port 443 are routed to KILL_CHROME
sudo iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -p tcp --dport 443 -j KILL_CHROME
# Log every connection in KILL_CHROME
sudo iptables -A KILL_CHROME -j LOG --log-prefix "New Dropped: "
# And drop it like a hot potato.
sudo iptables -A KILL_CHROME -j
'Twould be good for Chromium to support some sort of flag to prevent this behavior, but since there doesn't seem to be one this is the best I can do.

Capture LLDP packets using tcpdump

What is the format to capture LLDP packets on an interface using tcpdump?
I tried the following format but it dint work:
tcpdump -w test.pcap -i eth0 lldp -vv
tcpdump -w test.pcap -i eth0 ether proto 0x88cc
The Ethernet type for LLDP is 0x88cc, so the filter to see only LLDP packets is ether proto 0x88cc.
-v is useful when used with -w to print a short count of packets matched, like this: Got 11.
-w means "write the raw packets to the file, and don't print anything"; -v means "print verbosely", so ostensibly the arguments don't make sense together but with -w, the -v option provides some utility.

how to configure eth0 as a sender udp port in tcl

I have a multiple network interfaces to my pc. I want to configure only eth0 as a udp sender for sending packets to other pc. How can we specify the interface name to be configured as udp sender. I have installed libudp-tcl, but not able to find the way to do it. Can anybody tell me the exact way to do that.
The udp package can't do what you want. As kostix mentioned you can always modify the udp package at the C level to expose the binding interface to tcl.
But there is an alternative work-around.
On Linux you can use iptables to restrict packets for specific ports to only go through specific interfaces. So, just open a UDP port of your choice (for example 9999) and then only allow packets from that port to go through eth0 and drop it from other interfaces.
For example, say your application uses UDP port 9999, then set up the following iptables rules:
# Accept udp packets from port 9999 for eth0
iptables -A OUTPUT -i eth0 -p udp --source-port 9999 -j ACCEPT
# Drop udp packets from port 9999 for all other interfaces
iptables -A OUTPUT -p udp --source-port 9999 -j DROP
Or you can do it in tcl using exec:
# Warning! Need to be root to do this:
set myPort 9999
exec /sbin/iptables -A OUTPUT -i eth0 -p udp --source-port $myPort -j ACCEPT
exec /sbin/iptables -A OUTPUT -p udp --source-port $myPort -j DROP
But always remember to delete your added rules before your program exits:
# Clearup iptables rules
exec /sbin/iptables -D OUTPUT -i eth0 -p udp --source-port $myPort -j ACCEPT
exec /sbin/iptables -D OUTPUT -p udp --source-port $myPort -j DROP
From what I gather, to do what you want, you need to bind(2) to a specific IP address (one of those available on eth0) first, but the udp package does not appear to support anything like this.
So it looks like you need to patch the package yourself. Tcl has excellent C API so it's not really hard if you're familiar with C.