- +1 902 791 1110
- contact@bobbitt.ca
Wireshark and tcpdump are extremely powerful network troubleshooting tools. Here are some command examples that may be useful.
Show all ARP:
arp
Show ARP from a specific MAC:
arp.src.hw_mac == 00:16:D3:4A:CE:7D
Show all traffic to a specific IP:
ip.src == 10.14.1.16
Show all traffic to/from a specific IP:
ip.addr == 10.14.1.16
Show only SYN packets:
tcp.flags.syn
Show all web traffic:
tcp.port == 80
Capture agent specific traffic
udp.port == 11168 or udp.port == 11168 or udp.port == 11688 or tcp.port == 11698
Capture just audit traffic
tcp port 11698
Capture only from a single MAC
ether host 00:16:D3:4A:CE:7D
Capture agent specific traffic
udp port 11168 or udp port 11168 or udp port 11688 or tcp port 11698
Capture only traffic to/from 1.2.3.4
host 1.2.3.4
Capture only web traffic to/from 1.2.3.4
host 1.2.3.4 and tcp port 80
See all SSH traffic not from designated host:
tcpdump -n port 22 and not host 216.58.41.139
See all audit traffic for one endpoint:
tcpdump -n -i any port 11698 and host 156.99.137.37
Capture 4096 bytes of HTTP traffic to/from 10.100.0.1, decode it as much as possible, and save it to /tmp/http.cap
tcpdump -X -vv -s 4096 -w /tmp/http.cap host 10.100.0.1 and port 80
Look for reporter traffic
/usr/sbin/tcpdump -n udp port 11688
Included below are some commands that I have found, created or tweaked to help make life easier along the way.
Getting SELinux working can be tough. Here are some commands I found useful.
Is SELinux enabled?
Deactivate all inactive users in the last year:
Yes, some distros still use rpm.
Extract files from an RPM:
Get into the correct directory:
cd /etc/pki/tls/certs