Export with `tcpdump` `udp` network traffic from old Scaleway Dedibox server

[stephane-klein]

Export with tcpdump udp network traffic from Scaleway Dedibox server.

[stephane-klein]

root@triton:~# tcpdump -i eno1 udp > output.txt
18:05:06.187445 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:06.420967 IP 51.159.34.149.52218 > 51.159.34.255.32412: UDP, length 21
18:05:06.591281 IP 51.159.34.136.44090 > 51.159.34.255.32412: UDP, length 21
18:05:06.937114 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 339
18:05:08.045178 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 119
18:05:08.187554 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:08.410555 IP 51.159.34.106.51719 > 51.159.34.255.32412: UDP, length 21
18:05:09.278494 IP 51.159.34.136.54820 > 51.159.34.255.32414: UDP, length 21
18:05:09.341043 IP 51.159.34.167.64512 > 51.159.34.255.64512: UDP, length 64
18:05:09.622273 IP 51.159.34.149.42771 > 51.159.34.255.32414: UDP, length 21
18:05:09.768855 IP 51.159.34.63.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. (45)
18:05:10.121047 IP 51.159.34.106.59858 > 51.159.34.255.32414: UDP, length 21
18:05:10.187583 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:10.276016 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 171
18:05:10.733202 IP 51.159.34.218.33685 > 51.159.34.255.32412: UDP, length 21
18:05:10.846473 IP 51.159.34.218.43066 > 51.159.34.255.32414: UDP, length 21
18:05:11.295882 IP 212.129.11.47.netbios-dgm > 212.129.11.63.netbios-dgm: UDP, length 201
18:05:11.421206 IP 51.159.34.149.52218 > 51.159.34.255.32412: UDP, length 21
18:05:11.591972 IP 51.159.34.136.44090 > 51.159.34.255.32412: UDP, length 21
18:05:11.937368 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 339
18:05:12.187557 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:13.045391 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 119
18:05:13.410857 IP 51.159.34.106.51719 > 51.159.34.255.32412: UDP, length 21
18:05:14.023879 IP 51.159.34.218.57892 > 239.255.255.250.1900: UDP, length 101
18:05:14.187477 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:14.279279 IP 51.159.34.136.54820 > 51.159.34.255.32414: UDP, length 21
18:05:14.622520 IP 51.159.34.149.42771 > 51.159.34.255.32414: UDP, length 21
18:05:14.725038 IP6 fe80::ec4:7aff:fe74:47e3.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:05:15.120995 IP6 fe80::ec4:7aff:fe74:4812.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:05:15.121340 IP 51.159.34.106.59858 > 51.159.34.255.32414: UDP, length 21
18:05:15.276233 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 171
18:05:15.733827 IP 51.159.34.218.33685 > 51.159.34.255.32412: UDP, length 21
18:05:15.847074 IP 51.159.34.218.43066 > 51.159.34.255.32414: UDP, length 21
18:05:16.187464 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:16.421440 IP 51.159.34.149.52218 > 51.159.34.255.32412: UDP, length 21
18:05:16.592610 IP 51.159.34.136.44090 > 51.159.34.255.32412: UDP, length 21
18:05:16.937611 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 339

51.159.34.10.55321 > 51.159.34.255.34196 raw explanation:

UDP format is illustrated by this rwho packet: actinide.who > broadcast.who: udp 84 This says that port who on host actinide sent a udp datagram to port who on host broadcast, the Internet broadcast address. The packet contained 84 bytes of user data.

[stephane-klein]

Some usefull network tools: https://github.com/caesar0301/awesome-pcaptools

[stephane-klein]

man pcap-filter

[stephane-klein]

Dump network traffic, exclude my ssh public ip:

tcpdump -i eno1 not host 176.151.229.120

[stephane-klein]

This is iftop output:

51-159-34-254.rev.poneytelecom.eu => 230.0.0.1                                                                      796b    730b   1.11Kb
                                                                             <=                                                                                  0b      0b      0b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-106.rev.poneytelecom.eu                                                0b      0b      0b
                                                                             <=                                                                                  0b    157b    157b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-149.rev.poneytelecom.eu                                                0b      0b      0b
                                                                             <=                                                                                196b    157b    157b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-218.rev.poneytelecom.eu                                                0b      0b      0b
                                                                             <=                                                                                392b    157b    157b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-10.rev.poneytelecom.eu                                                 0b      0b      0b
                                                                             <=                                                                                124b    124b    124b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-136.rev.poneytelecom.eu                                                0b      0b      0b
                                                                             <=                                                                                196b    118b    157b
51-159-34-255.rev.poneytelecom.eu => boron.progval.net                                                                0b      0b      0b
                                                                             <=                                                                                  0b     74b     37b
51-159-34-231.rev.poneytelecom.eu => 54.223.161.222.adsl-pool.jlccptt.net.cn                                          0b     32b      8b
                                                                             <=                                                                                  0b     32b      8b
51-159-34-231.rev.poneytelecom.eu => nscache-2.online.net                                                             0b      0b     80b
                                                                             <=                                                                                  0b      0b    111b
51-159-34-231.rev.poneytelecom.eu => nscache-1.online.net                                                             0b      0b     32b
                                                                             <=                                                                                  0b      0b     32b
51-159-34-231.rev.poneytelecom.eu => 116.204.171.205                                                                  0b      0b     29b
                                                                             <=                                                                                  0b      0b     23b
51-159-34-231.rev.poneytelecom.eu => 176.113.115.104                                                                  0b      0b      8b
                                                                             <=                                                                                  0b      0b     16b
51-159-34-231.rev.poneytelecom.eu => 162.62.191.220                                                                   0b      0b      8b
                                                                             <=                                                                                  0b      0b     10b
51-159-34-231.rev.poneytelecom.eu => scanner-03.ch1.censys-scanner.com                                                0b      0b      8b
                                                                             <=                                                                                  0b      0b      9b

What are all this input hosts?

[stephane-klein]

• 116.204.171.205
• 176.113.115.104
• 162.62.191.220
• scanner-03.ch1.censys-scanner.com
• 54.223.161.222.adsl-pool.jlccptt.net.cn
• boron.progval.net
• 230.0.0.1 => multicast
• scanner-13.ch1.censys-scanner.com

[stephane-klein]

nscache-2.online.net is the internal online DNS server.