Open stephane-klein opened 2 years ago
root@triton:~# tcpdump -i eno1 udp > output.txt
18:05:06.187445 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:06.420967 IP 51.159.34.149.52218 > 51.159.34.255.32412: UDP, length 21
18:05:06.591281 IP 51.159.34.136.44090 > 51.159.34.255.32412: UDP, length 21
18:05:06.937114 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 339
18:05:08.045178 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 119
18:05:08.187554 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:08.410555 IP 51.159.34.106.51719 > 51.159.34.255.32412: UDP, length 21
18:05:09.278494 IP 51.159.34.136.54820 > 51.159.34.255.32414: UDP, length 21
18:05:09.341043 IP 51.159.34.167.64512 > 51.159.34.255.64512: UDP, length 64
18:05:09.622273 IP 51.159.34.149.42771 > 51.159.34.255.32414: UDP, length 21
18:05:09.768855 IP 51.159.34.63.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. (45)
18:05:10.121047 IP 51.159.34.106.59858 > 51.159.34.255.32414: UDP, length 21
18:05:10.187583 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:10.276016 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 171
18:05:10.733202 IP 51.159.34.218.33685 > 51.159.34.255.32412: UDP, length 21
18:05:10.846473 IP 51.159.34.218.43066 > 51.159.34.255.32414: UDP, length 21
18:05:11.295882 IP 212.129.11.47.netbios-dgm > 212.129.11.63.netbios-dgm: UDP, length 201
18:05:11.421206 IP 51.159.34.149.52218 > 51.159.34.255.32412: UDP, length 21
18:05:11.591972 IP 51.159.34.136.44090 > 51.159.34.255.32412: UDP, length 21
18:05:11.937368 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 339
18:05:12.187557 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:13.045391 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 119
18:05:13.410857 IP 51.159.34.106.51719 > 51.159.34.255.32412: UDP, length 21
18:05:14.023879 IP 51.159.34.218.57892 > 239.255.255.250.1900: UDP, length 101
18:05:14.187477 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:14.279279 IP 51.159.34.136.54820 > 51.159.34.255.32414: UDP, length 21
18:05:14.622520 IP 51.159.34.149.42771 > 51.159.34.255.32414: UDP, length 21
18:05:14.725038 IP6 fe80::ec4:7aff:fe74:47e3.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:05:15.120995 IP6 fe80::ec4:7aff:fe74:4812.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
18:05:15.121340 IP 51.159.34.106.59858 > 51.159.34.255.32414: UDP, length 21
18:05:15.276233 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 171
18:05:15.733827 IP 51.159.34.218.33685 > 51.159.34.255.32412: UDP, length 21
18:05:15.847074 IP 51.159.34.218.43066 > 51.159.34.255.32414: UDP, length 21
18:05:16.187464 IP 51.159.34.10.55321 > 51.159.34.255.34196: UDP, length 3
18:05:16.421440 IP 51.159.34.149.52218 > 51.159.34.255.32412: UDP, length 21
18:05:16.592610 IP 51.159.34.136.44090 > 51.159.34.255.32412: UDP, length 21
18:05:16.937611 IP 51.159.34.254.4446 > 230.0.0.1.4446: UDP, length 339
51.159.34.10.55321 > 51.159.34.255.34196
raw explanation:
UDP format is illustrated by this rwho packet:
actinide.who > broadcast.who: udp 84
This says that port who on host actinide sent a udp datagram to port who on host broadcast, the Internet broadcast address. The packet contained 84 bytes of user data.
Some usefull network tools: https://github.com/caesar0301/awesome-pcaptools
man pcap-filter
Dump network traffic, exclude my ssh public ip:
tcpdump -i eno1 not host 176.151.229.120
This is iftop
output:
51-159-34-254.rev.poneytelecom.eu => 230.0.0.1 796b 730b 1.11Kb
<= 0b 0b 0b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-106.rev.poneytelecom.eu 0b 0b 0b
<= 0b 157b 157b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-149.rev.poneytelecom.eu 0b 0b 0b
<= 196b 157b 157b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-218.rev.poneytelecom.eu 0b 0b 0b
<= 392b 157b 157b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-10.rev.poneytelecom.eu 0b 0b 0b
<= 124b 124b 124b
51-159-34-255.rev.poneytelecom.eu => 51-159-34-136.rev.poneytelecom.eu 0b 0b 0b
<= 196b 118b 157b
51-159-34-255.rev.poneytelecom.eu => boron.progval.net 0b 0b 0b
<= 0b 74b 37b
51-159-34-231.rev.poneytelecom.eu => 54.223.161.222.adsl-pool.jlccptt.net.cn 0b 32b 8b
<= 0b 32b 8b
51-159-34-231.rev.poneytelecom.eu => nscache-2.online.net 0b 0b 80b
<= 0b 0b 111b
51-159-34-231.rev.poneytelecom.eu => nscache-1.online.net 0b 0b 32b
<= 0b 0b 32b
51-159-34-231.rev.poneytelecom.eu => 116.204.171.205 0b 0b 29b
<= 0b 0b 23b
51-159-34-231.rev.poneytelecom.eu => 176.113.115.104 0b 0b 8b
<= 0b 0b 16b
51-159-34-231.rev.poneytelecom.eu => 162.62.191.220 0b 0b 8b
<= 0b 0b 10b
51-159-34-231.rev.poneytelecom.eu => scanner-03.ch1.censys-scanner.com 0b 0b 8b
<= 0b 0b 9b
What are all this input hosts?
116.204.171.205
176.113.115.104
162.62.191.220
scanner-03.ch1.censys-scanner.com
54.223.161.222.adsl-pool.jlccptt.net.cn
boron.progval.net
230.0.0.1
=> multicastscanner-13.ch1.censys-scanner.com
nscache-2.online.net
is the internal online DNS server.
Export with
tcpdump
udp
network traffic from Scaleway Dedibox server.