tcpdump is a well known command line packet analyzer tool. Using tcpdump command we can capture the live TCP\/IP packets and these packets can also be saved to a file. Later on these captured packets can be analyzed via tcpdump command. tcpdump command becomes very handy when it comes to troubleshooting on network level.<\/p>\n
tcpdump is available in most of the Linux distributions, for Debian based Linux, it be can be installed using apt command,<\/p>\n
# apt install tcpdump -y<\/p>\n
On RPM based Linux OS, tcpdump can be installed using below yum command<\/p>\n
# yum install tcpdump -y<\/p>\n
When we run the tcpdump command without any options then it will capture packets of all the interfaces. So to stop or cancel the tcpdump command, type \u201cctrl+c\u201d . In this tutorial we will discuss how to capture and analyze packets using different practical examples,<\/p>\n
When we run the tcpdump command without any options, it will capture packets on the all interfaces, so to capture the packets from a specific interface use the option \u2018-i\u2018 followed by the interface name.<\/p>\n
Syntax :<\/p>\n
# tcpdump -i<\/p>\n
Let\u2019s assume, i want to capture packets from interface \u201cenp0s3\u201d<\/p>\n
[[email protected]<\/a> ~]# tcpdump -i enp0s3<\/p>\n Output would be something like below,<\/p>\n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode Let\u2019s assume we want to capture 12 packets from the specific interface like \u201cenp0s3\u201d, this can be easily achieved using the options \u201c-c -i \u201d<\/p>\n [email protected]<\/a> ~]# tcpdump -c 12 -i enp0s3<\/p>\n Use \u2018-D\u2018 option to display all the available interfaces for tcpdump command,<\/p>\n [[email protected]<\/a> ~]# tcpdump -D I am running the tcpdump command on one of my openstack compute node, that\u2019s why in the output you have seen number interfaces, tab interface, bridges and vxlan interface.<\/p>\n By default in tcpdump command output, there is no proper human readable timestamp, if you want to associate human readable timestamp to each captured packet then use \u2018-tttt\u2018 option, example is shown below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -c 8 -tttt -i enp0s3 Use \u201c-w\u201d option in tcpdump command to save the capture TCP\/IP packet to a file, so that we can analyze those packets in the future for further analysis.<\/p>\n Syntax :<\/p>\n # tcpdump -w file_name.pcap -i<\/p>\n Note: Extension of file must be .pcap<\/p>\n Let\u2019s assume i want to save the captured packets of interface \u201cenp0s3\u201d to a file name enp0s3-26082018.pcap<\/p>\n [[email protected]<\/a> ~]# tcpdump -w enp0s3-26082018.pcap -i enp0s3<\/p>\n Above command will generate the output something like below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -w enp0s3-26082018.pcap -i enp0s3 Capturing and Saving the packets whose size greater than N bytes<\/p>\n [[email protected]<\/a> ~]# tcpdump -w enp0s3-26082018-2.pcap greater 1024<\/p>\n Capturing and Saving the packets whose size less than N bytes<\/p>\n [[email protected]<\/a> ~]# tcpdump -w enp0s3-26082018-3.pcap less 1024<\/p>\n In the above example we have saved the captured packets to a file, we can read those packets from the file using the option \u2018-r\u2018, example is shown below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -r enp0s3-26082018.pcap<\/p>\n Reading the packets with human readable timestamp,<\/p>\n [[email protected]<\/a> ~]# tcpdump -tttt -r enp0s3-26082018.pcap Read More on : How to Install and Use Wireshark on Debian 9 \/ Ubuntu 16.04<\/a><\/p>\n Using -n option in tcpdum command we can capture only IP address packets on specific interface, example is shown below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -n -i enp0s3<\/p>\n Output of above command would be something like below,<\/p>\n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode You can also capture N number of IP address packets using -c and -n option in tcpdump command,<\/p>\n [[email protected]<\/a> ~]# tcpdump -c 25 -n -i enp0s3<\/p>\n In tcpdump command we can capture only tcp packets using the \u2018tcp\u2018 option,<\/p>\n [[email protected]<\/a> ~]# tcpdump -i enp0s3 tcp Using tcpdump command we can capture packet from a specific port (e.g 22) on a specific interface enp0s3<\/p>\n Syntax :<\/p>\n # tcpdump -i port<\/p>\n [[email protected]<\/a> ~]# tcpdump -i enp0s3 port 22 Using \u201csrc\u201d keyword followed by \u201cip address\u201d in tcpdump command we can capture the packets from a specific Source IP,<\/p>\n syntax :<\/p>\n # tcpdump -n -i src<\/p>\n Example is shown below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -n -i enp0s3 src 169.144.0.10 Syntax :<\/p>\n # tcpdump -n -i dst<\/p>\n [[email protected]<\/a> ~]# tcpdump -n -i enp0s3 dst 169.144.0.1 Let\u2019s assume i want to capture tcp packets between two hosts 169.144.0.1 & 169.144.0.20, example is shown below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -w two-host-tcp-comm.pcap -i enp0s3 tcp and (host 169.144.0.1 or host 169.144.0.20)<\/p>\n Capturing only SSH packet flow between two hosts using tcpdump command,<\/p>\n [[email protected]<\/a> ~]# tcpdump -w ssh-comm-two-hosts.pcap -i enp0s3 src 169.144.0.1 and port 22 and dst 169.144.0.20 and port 22<\/p>\n Syntax :<\/p>\n # tcpdump -w -s -i udp and (host and host )<\/p>\n [[email protected]<\/a> ~]# tcpdump -w two-host-comm.pcap -s 1000 -i enp0s3 udp and (host 169.144.0.10 and host 169.144.0.20)<\/p>\n Using tcpdump command, we can capture tcp\/ip packet in ASCII and HEX format,<\/p>\n To capture the packets in ASCII format use -A option, example is shown below,<\/p>\n [[email protected]<\/a> ~]# tcpdump -c 10 -A -i enp0s3 To Capture the packets both in HEX and ASCII format use -XX option<\/p>\n [[email protected]<\/a> ~]# tcpdump -c 10 -XX -i enp0s3 That\u2019s all from this article, i hope you got an idea how to capture and analyze tcp\/ip packets using tcpdump command. Please do share your feedback and comments.<\/p>\n
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n06:43:22.905890 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952160:21952540, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 380
\n06:43:22.906045 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952540:21952760, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220
\n06:43:22.906150 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952760:21952980, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220
\n06:43:22.906291 IP 169.144.0.1.39374 > compute-0-1.example.com.ssh: Flags [.], ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 0
\n06:43:22.906303 IP 169.144.0.1.39374 > compute-0-1.example.com.ssh: Flags [P.], seq 13537:13609, ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 72
\n06:43:22.906322 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952980:21953200, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220
\n^C
\n109930 packets captured
\n110065 packets received by filter
\n133 packets dropped by kernel
\n[[email protected]<\/a> ~]#<\/p>\nExample:2) Capturing specific number number of packet from a specific interface<\/h4>\n
Example:3) Display all the available Interfaces for tcpdump<\/h4>\n
\n1.enp0s3
\n2.enp0s8
\n3.ovs-system
\n4.br-int
\n5.br-tun
\n6.nflog (Linux netfilter log (NFLOG) interface)
\n7.nfqueue (Linux netfilter queue (NFQUEUE) interface)
\n8.usbmon1 (USB bus number 1)
\n9.usbmon2 (USB bus number 2)
\n10.qbra692e993-28
\n11.qvoa692e993-28
\n12.qvba692e993-28
\n13.tapa692e993-28
\n14.vxlan_sys_4789
\n15.any (Pseudo-device that captures on all interfaces)
\n16.lo [Loopback]
\n[[email protected]<\/a> ~]#<\/p>\nExample:4) Capturing packets with human readable timestamp (-tttt option)<\/h4>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n2018-08-25 23:23:36.954883 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1449206247:1449206435, ack 3062020950, win 291, options [nop,nop,TS val 86178422 ecr 21583714], length 188
\n2018-08-25 23:23:36.955046 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 13585, options [nop,nop,TS val 21583717 ecr 86178422], length 0
\n2018-08-25 23:23:37.140097 IP controller0.example.com.amqp > compute-0-1.example.com.57818: Flags [P.], seq 814607956:814607964, ack 2387094506, win 252, options [nop,nop,TS val 86172228 ecr 86176695], length 8
\n2018-08-25 23:23:37.140175 IP compute-0-1.example.com.57818 > controller0.example.com.amqp: Flags [.], ack 8, win 237, options [nop,nop,TS val 86178607 ecr 86172228], length 0
\n2018-08-25 23:23:37.355238 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [P.], seq 1080415080:1080417400, ack 1690909362, win 237, options [nop,nop,TS val 86178822 ecr 86163054], length 2320
\n2018-08-25 23:23:37.357119 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [.], ack 2320, win 1432, options [nop,nop,TS val 86172448 ecr 86178822], length 0
\n2018-08-25 23:23:37.357545 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [P.], seq 1:22, ack 2320, win 1432, options [nop,nop,TS val 86172449 ecr 86178822], length 21
\n2018-08-25 23:23:37.357572 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [.], ack 22, win 237, options [nop,nop,TS val 86178825 ecr 86172449], length 0
\n8 packets captured
\n134 packets received by filter
\n69 packets dropped by kernel
\n[[email protected]<\/a> ~]#<\/p>\nExample:5) Capturing and saving packets to a file (-w option)<\/h4>\n
\ntcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n^C841 packets captured
\n845 packets received by filter
\n0 packets dropped by kernel
\n[[email protected]<\/a> ~]# ls
\nanaconda-ks.cfg enp0s3-26082018.pcap
\n[[email protected]<\/a> ~]#<\/p>\nExample:6) Reading packets from the saved file ( -r option)<\/h4>\n
\nreading from file enp0s3-26082018.pcap, link-type EN10MB (Ethernet)
\n2018-08-25 22:03:17.249648 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1426167803:1426167927, ack 3061962134, win 291, options
\n[nop,nop,TS val 81358717 ecr 20378789], length 124
\n2018-08-25 22:03:17.249840 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 124, win 564, options [nop,nop,TS val 20378791 ecr 81358
\n717], length 0
\n2018-08-25 22:03:17.454559 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [.], ack 1079416895, win 1432, options [nop,nop,TS v
\nal 81352560 ecr 81353913], length 0
\n2018-08-25 22:03:17.454642 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [.], ack 1, win 237, options [nop,nop,TS val 8135892
\n2 ecr 81317504], length 0
\n2018-08-25 22:03:17.646945 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [.], seq 106760587:106762035, ack 688390730, win 237
\n, options [nop,nop,TS val 81359114 ecr 81350901], length 1448
\n2018-08-25 22:03:17.647043 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [P.], seq 1448:1956, ack 1, win 237, options [nop,no
\np,TS val 81359114 ecr 81350901], length 508
\n2018-08-25 22:03:17.647502 IP controller0.example.com.amqp > compute-0-1.example.com.57788: Flags [.], ack 1956, win 1432, options [nop,nop,TS val 813
\n52753 ecr 81359114], length 0
\n………………………………………………………………………………………………………….<\/p>\nExample:7) Capturing only IP address packets on a specific Interface (-n option)<\/h4>\n
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n22:22:28.537904 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1433301395:1433301583, ack 3061976250, win 291, options [nop,nop,TS val 82510005 ecr 20666610], length 188
\n22:22:28.538173 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 188, win 9086, options [nop,nop,TS val 20666613 ecr 82510005], length 0
\n22:22:28.538573 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188:552, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 364
\n22:22:28.538736 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 552, win 9086, options [nop,nop,TS val 20666613 ecr 82510006], length 0
\n22:22:28.538874 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 552:892, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 340
\n22:22:28.539042 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 892, win 9086, options [nop,nop,TS val 20666613 ecr 82510006], length 0
\n22:22:28.539178 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 892:1232, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 340
\n22:22:28.539282 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1232, win 9086, options [nop,nop,TS val 20666614 ecr 82510006], length 0
\n22:22:28.539479 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1232:1572, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666614], length 340
\n22:22:28.539595 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1572, win 9086, options [nop,nop,TS val 20666614 ecr 82510006], length 0
\n22:22:28.539760 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1572:1912, ack 1, win 291, options [nop,nop,TS val 82510007 ecr 20666614], length 340
\n……………………………………………………………….<\/p>\nExample:8) Capturing only TCP packets on a specific interface<\/h4>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n22:36:54.521053 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1433336467:1433336655, ack 3061986618, win 291, options [nop,nop,TS val 83375988 ecr 20883106], length 188
\n22:36:54.521474 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 188, win 9086, options [nop,nop,TS val 20883109 ecr 83375988], length 0
\n22:36:54.522214 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188:552, ack 1, win 291, options [nop,nop,TS val 83375989 ecr 20883109], length 364
\n22:36:54.522508 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 552, win 9086, options [nop,nop,TS val 20883109 ecr 83375989], length 0
\n22:36:54.522867 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 552:892, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109], length 340
\n22:36:54.523006 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 892, win 9086, options [nop,nop,TS val 20883109 ecr 83375990], length 0
\n22:36:54.523304 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 892:1232, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109], length 340
\n22:36:54.523461 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1232, win 9086, options [nop,nop,TS val 20883110 ecr 83375990], length 0
\n22:36:54.523604 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1232:1572, ack 1, win 291, options [nop,nop,TS val 83375991 ecr 20883110], length 340
\n…………………………………………………………………………………………………………………………………<\/p>\nExample:9) Capturing packets from a specific port on a specific interface<\/h4>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n22:54:45.032412 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1435010787:1435010975, ack 3061993834, win 291, options [nop,nop,TS val 84446499 ecr 21150734], length 188
\n22:54:45.032631 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 9131, options [nop,nop,TS val 21150737 ecr 84446499], length 0
\n22:54:55.037926 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 188:576, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21150737], length 388
\n22:54:55.038106 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 576, win 9154, options [nop,nop,TS val 21153238 ecr 84456505], length 0
\n22:54:55.038286 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 576:940, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21153238], length 364
\n22:54:55.038564 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 940, win 9177, options [nop,nop,TS val 21153238 ecr 84456505], length 0
\n22:54:55.038708 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 940:1304, ack 1, win 291, options [nop,nop,TS val 84456506 ecr 21153238], length 364
\n…………………………………………………………………………………………………………….
\n[[email protected]<\/a> ~]#<\/p>\nExample:10) Capturing the packets from a Specific Source IP on a Specific Interface<\/h4>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n23:03:45.912733 IP 169.144.0.10.amqp > 169.144.0.20.57800: Flags [.], ack 526623844, win 243, options [nop,nop,TS val 84981008 ecr 84982372], length 0
\n23:03:46.136757 IP 169.144.0.10.amqp > 169.144.0.20.57796: Flags [.], ack 2535995970, win 252, options [nop,nop,TS val 84981232 ecr 84982596], length 0
\n23:03:46.153398 IP 169.144.0.10.amqp > 169.144.0.20.57798: Flags [.], ack 3623063621, win 243, options [nop,nop,TS val 84981248 ecr 84982612], length 0
\n23:03:46.361160 IP 169.144.0.10.amqp > 169.144.0.20.57802: Flags [.], ack 2140263945, win 252, options [nop,nop,TS val 84981456 ecr 84982821], length 0
\n23:03:46.376926 IP 169.144.0.10.amqp > 169.144.0.20.57808: Flags [.], ack 175946224, win 252, options [nop,nop,TS val 84981472 ecr 84982836], length 0
\n23:03:46.505242 IP 169.144.0.10.amqp > 169.144.0.20.57810: Flags [.], ack 1016089556, win 252, options [nop,nop,TS val 84981600 ecr 84982965], length 0
\n23:03:46.616994 IP 169.144.0.10.amqp > 169.144.0.20.57812: Flags [.], ack 832263835, win 252, options [nop,nop,TS val 84981712 ecr 84983076], length 0
\n23:03:46.809344 IP 169.144.0.10.amqp > 169.144.0.20.57814: Flags [.], ack 2781799939, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 0
\n23:03:46.809485 IP 169.144.0.10.amqp > 169.144.0.20.57816: Flags [.], ack 1662816815, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 0
\n23:03:47.033301 IP 169.144.0.10.amqp > 169.144.0.20.57818: Flags [.], ack 2387094362, win 252, options [nop,nop,TS val 84982128 ecr 84983492], length 0
\n^C
\n10 packets captured
\n12 packets received by filter
\n0 packets dropped by kernel
\n[[email protected]<\/a> ~]#<\/p>\nExample:11) Capturing packets from a specific destination IP on a specific Interface<\/h4>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n23:10:43.520967 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1439564171:1439564359, ack 3062005550, win 291, options [nop,nop,TS val 85404988 ecr 21390356], length 188
\n23:10:43.521441 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188:408, ack 1, win 291, options [nop,nop,TS val 85404988 ecr 21390359], length 220
\n23:10:43.521719 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 408:604, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
\n23:10:43.521993 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 604:800, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
\n23:10:43.522157 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 800:996, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
\n23:10:43.522346 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 996:1192, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
\n……………………………………………………………………………..<\/p>\nExample:12) Capturing TCP packet communication between two Hosts<\/h4>\n
Example:13) Capturing the udp network packets (to & fro) between two hosts<\/h4>\n
Example:14) Capturing packets in HEX and ASCII Format<\/h4>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n00:37:10.520060 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1452637331:1452637519, ack 3062125586, win 333, options [nop,nop,TS val 90591987 ecr 22687106], length 188
\nE…[[email protected]<\/a>@……………V.|…T….MT……
\n.fR..Z-….b.:..Z5…{.’p….].”}…Z..9.?…….”[email protected]<\/a><…..V..C…..{,…OKP.2.*…`..-sS..1S………..:.O[…..O..6j.d…..
\n.Z-..fR.
\n00:37:11.687543 IP controller0.example.com.amqp > compute-0-1.example.com.57800: Flags [.], ack 526624548, win 243, options [nop,nop,TS val 90586768 ecr 90588146], length 0
\n[email protected]<\/a>@.!L…
\n…..(..g….c.$………..
\n.f>..fC.
\n00:37:11.687612 IP compute-0-1.example.com.57800 > controller0.example.com.amqp: Flags [.], ack 1, win 237, options [nop,nop,TS val 90593155 ecr 90551716], length 0
\n[email protected]<\/a>@……….
\n…(.c.$g…….Se…..
\n.fW..e..
\n………………………………………………………………………………………………………………………………..<\/p>\n
\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode
\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
\n00:39:15.124363 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1452640859:1452641047, ack 3062126346, win 333, options [nop,nop,TS val 90716591 ecr 22718257], length 188
\n0x0000: 0a00 2700 0000 0800 27f4 f935 0800 4510 ..’…..’..5..E.
\n0x0010: 00f0 5bc6 4000 4006 8afc a990 0014 a990 ..[[email protected]<\/a>@………
\n0x0020: 0001 0016 99ee 5695 8a5b b684 570a 8018 ……V..[..W…
\n0x0030: 014d 5418 0000 0101 080a 0568 39af 015a .MT……..h9..Z
\n0x0040: a731 adb7 58b6 1a0f 2006 df67 c9b6 4479 .1..X……g..Dy
\n0x0050: 19fd 2c3d 2042 3313 35b9 a160 fa87 d42c ..,=.B3.5..`…,
\n0x0060: 89a9 3d7d dfbf 980d 2596 4f2a 99ba c92a ..=}….%.O*…*
\n0x0070: 3e1e 7bf7 3af2 a5cc ee4f 10bc 7dfc 630d >.{.:….O..}.c.
\n0x0080: 898a 0e16 6825 56c7 b683 1de4 3526 ff04 ….h%V…..5&..
\n0x0090: 68d1 4f7d babd 27ba 84ae c5d3 750b 01bd h.O}..’…..u…
\n0x00a0: 9c43 e10a 33a6 8df2 a9f0 c052 c7ed 2ff5 .C..3……R..\/.
\n0x00b0: bfb1 ce84 edfc c141 6dad fa19 0702 62a7 …….Am…..b.
\n0x00c0: 306c db6b 2eea 824e eea5 acd7 f92e 6de3 0l.k…N……m.
\n0x00d0: 85d0 222d f8bf 9051 2c37 93c8 506d 5cb5 ..”-…Q,7..Pm.
\n0x00e0: 3b4a 2a80 d027 49f2 c996 d2d9 a9eb c1c4 ;J*..’I………
\n0x00f0: 7719 c615 8486 d84c e42d 0ba3 698c w……L.-..i.
\n00:39:15.124648 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 13971, options [nop,nop,TS val 22718260 ecr 90716591], length 0
\n0x0000: 0800 27f4 f935 0a00 2700 0000 0800 4510 ..’..5..’…..E.
\n0x0010: 0034 6b70 4000 4006 7c0e a990 0001 a990 [email protected]<\/a>@.|…….
\n0x0020: 0014 99ee 0016 b684 570a 5695 8b17 8010 ……..W.V…..
\n0x0030: 3693 7c0e 0000 0101 080a 015a a734 0568 6.|……..Z.4.h
\n0x0040: 39af
\n……………………………………………………………..<\/p>\n