Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I'm using freebsd 10.4
what argument i can use in tcpdump to match only certain UDP port?
is it -i parameter ?
this is what i already reviewed https://www.freebsd.org/cgi/man.cgi?tcpdump(1)#end
The option -i is for the interface from the man page:
-i interface
--interface=interface
Listen on interface. If unspecified, tcpdump searches the sys-
tem interface list for the lowest numbered, configured up inter-
face (excluding loopback), which may turn out to be, for exam-
ple, ``eth0''.
In the same man page you have some examples like:
To print all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and
ACK-only packets. (IPv6 is left as an exercise for the reader.)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Probably it is not the simplest one but can give you an idea to achieve what you are looking for.
Let's say you want to capture DNS request, UDP port 53 on your main interface em0, this could be a starting point:
tcpdump -i em0 'udp port 53'
Now if you want to go further you could use Wireshark over ssh, give a try to:
wireshark -k -i <(ssh user#host sudo tcpdump -i em0 -U -w - not tcp port 22)
or in another way (in this case using PF interface pflog):
ssh use#server sudo tcpdump -i pflog0 -U -w -| wireshark -k -i -
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have read somewhere that "if you are the remote user connecting to a web server, then your web browser would pick a random TCP port from a certain range of port numbers, and attempt to connect to port 80 on the IP address of the web server". Does that mean that a particular ip address at client side have multiple ports?
Every system which implements TCP/IP has multiple "ports". The IP address refers to the entire system, if that's all we had it would be pretty boring. One program on a system could talk to one program on another system.
Hence the idea of "ports". Ports are just a 16-bit number which "completes" the address. So, your program on system 1.2.3.4 wants to talk to the webserver running on 2.3.4.5. The webserver "binds" itself to port 80. This is an example of a "well known port". But, how is the webserver to get data back to you? Your program needs a "port" of its own. But, it can be any old number, it doesn't need to be well known, so it just tells the OS I need a port and the OS finds one not in use and your program is "bound" to that port. Say it is port 3456.
So now we have all we need: 1.2.3.4:3456 can talk to 2.3.4.5:80
and when the packets of data for port 80 arrive at 2.3.4.5, the OS delivers them to the webserver. And when the packets of data for port 3456 arrive back at your computer (1.2.3.4), your OS delivers them to your web browser.
Whereever you read that, it's wrong. The TCP implementation picks a random local port. Not the browser. There are 65535 TCP ports per IP address, and another 65535 UDP ports.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
New to using IPTables as I am, I have a question which I am hoping stackoverflow can help with before I take the IPTables man file and doing something I regret...
I have an IPtables rule which blocks incoming requests when a specific connection limit is reached:
iptables -A INPUT -p tcp --syn --dport 7000 -m connlimit --connlimit-above 3500 --connlimit-mask 0 -j REJECT
My question is, would it be possible to block a ICMP (PING) responses when connections on port 7000 reach a certain limit?
Thanks in advance.
The answer is no. If you want to block ICMP, please use -p icmp instead of -p tcp.
The is one more thing should clarity: ICMP is layer3 protocol, but port number is defined in layer4. So you never find port number concept with ICMP.
(You can check ICMP packet format here : RFC 792)
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
How to find the software used by the port 80 in windows?
If you are looking for something as simple as knowing if a program is using a particular port on your computer, you can use the command netstat -b -a on Windows. If netstat is not enough, use TCPView
You may need some network analysis tools. It is fairly common to use a tool (or combination of tools) that perform port scanning as well as packet sniffing. By analyzing the packets, you can determine what is being communicated.
EDIT: Possible duplicates:
How can you find out which process is listening on a port on Windows?
What port is a given program using?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I need to block this ip 188.43.64.80.
iptables -A OUTPUT -p ALL -d 188.43.64.80 -j DROP
This rule work for my local computer - i can't ping this ip.
But it's not working for computers which connected to me
- they can ping this ip.
How can I make this rule to work in my network?
My network preferences - Internet from eth0.
Network from wlan0.
It's in the OUTPUT chain, which only affects packets that this machine is outputting. You want to add a similar rule to the FORWARD chain which affects packets this machine is forwarding.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I need to retrieve both TCP and UDP ports in the same scan with Nmap in the fastest way possible. I'll try to explain it better. If I use the most common command:
nmap 192.168.1.1
It retrieves ONLY TCP ports and it is really fast.
If I use the following command:
nmap -sU 192.168.1.1
It retrieves ONLY UDP ports and it is quite fast (well not so fast but still).
My question: is there a combination of the two commands? I tryed:
nmap -sU -sS 192.168.1.1
nmap -sU -sT 192.168.1.1
But they are TERRIBLY slow.
I am using Nmap 5.51, any suggestion?
As you've seen, UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.
You can add the -T switch to increase the speed of the scan, though this may reduce accuracy and make it easier to detect.
-T<0-5>: Set timing template (higher is faster)
-PN will turn off the ping scan element
You could also scan more hosts in parallel,
or reduce the number of ports you're scanning with the -p switch or --top-ports , which will scan the highest-ratio ports found in the nmap-services file.
If you were scanning multiple hosts, you could use --host-timeout to skip slow hosts.
Regarding TCP, -sS should be quicker than -sT.
HTH!
You didn't say how slow your scans get, but I think you would benefit from playing with the --min-parallelism option, which adjusts the minimum number of outstanding probes.
I'm seeing 70% reductions in scan time (compared with bare -sT -sU scans) like this. Note that it is possible to set --min-parallelism too high, such that the host (or network) cannot buffer this many queries simultaneously.
[mpenning#Hotcoffee]$ sudo nmap --min-parallelism 100 -sT -sU localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-10 01:07 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1978 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
49/tcp open tacacs
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
631/tcp open ipp
2003/tcp open finger
2004/tcp open mailbox
3389/tcp open ms-term-serv
5901/tcp open vnc-1
5910/tcp open unknown
6001/tcp open X11:1
7002/tcp open afs3-prserver
53/udp open|filtered domain
69/udp open|filtered tftp
111/udp open|filtered rpcbind
123/udp open|filtered ntp
161/udp open|filtered snmp
631/udp open|filtered ipp
1812/udp open|filtered radius
1813/udp open|filtered radacct
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
[mpenning#Hotcoffee]$