Tcpdump – how to Dump network traffic

DESCRIPTION

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.

- We connected two machines B2B and will use ICMP as a test protocol.
- We will ping from (malaa-NOOR.local) to (debian-test2-3.local) and will use Tcpdump on (debian-test2-3.local).

root@malaa-NOOR:~# ping 192.168.0.227 -c 2
PING 192.168.0.227 (192.168.0.227) 56(84) bytes of data.
64 bytes from 192.168.0.227: icmp_req=1 ttl=64 time=0.421 ms
64 bytes from 192.168.0.227: icmp_req=2 ttl=64 time=0.385 ms--- 192.168.0.227 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.385/0.403/0.421/0.018 ms
root@malaa-NOOR:~#  

-i    Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback).

 

 

root@debian-test2:~# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:59:50.828717 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7558, seq 1, length 64
16:59:50.828749 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7558, seq 1, length 64
16:59:51.828315 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7558, seq 2, length 64
16:59:51.828344 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7558, seq 2, length 64
^C
4 packets captured
6 packets received by filter
0 packets dropped by kernel
root@debian-test2:~# root@debian-test2:~# tcpdump icmp -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:24:58.714197 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7392, seq 1, length 64
16:24:58.714223 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7392, seq 1, length 64
16:24:59.713493 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7392, seq 2, length 64
16:24:59.713517 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7392, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-n   
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

 

root@debian-test2:~# tcpdump -n icmp -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:26:46.171804 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7404, seq 1, length 64
16:26:46.171846 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7404, seq 1, length 64
16:26:47.171981 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7404, seq 2, length 64
16:26:47.172009 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7404, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-v   
When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification,total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

 

root@debian-test2:~# tcpdump -n -v icmp -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:31:50.043213 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7430, seq 1, length 64
16:31:50.043242 IP (tos 0x0, ttl 64, id 60673, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7430, seq 1, length 64
16:31:51.043532 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7430, seq 2, length 64
16:31:51.043561 IP (tos 0x0, ttl 64, id 60674, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7430, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-vv   
Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-vvv    Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex as well.

root@debian-test2:~# tcpdump -n -vv icmp -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:11.322908 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7439, seq 1, length 64
16:34:11.322941 IP (tos 0x0, ttl 64, id 60677, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7439, seq 1, length 64
16:34:12.322131 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7439, seq 2, length 64
16:34:12.322164 IP (tos 0x0, ttl 64, id 60678, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7439, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#

-e    Print the link-level header on each dump line.

 

root@debian-test2:~# tcpdump -n -vv -e icmp -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:35:49.567369 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7455, seq 1, length 64
16:35:49.567404 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60679, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7455, seq 1, length 64
16:35:50.566665 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7455, seq 2, length 64
16:35:50.566696 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60680, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7455, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-c   
Exit after receiving count packets.

 

root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -c 2
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:23:12.175875 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.198 > 192.168.0.227: ICMP echo request, id 7387, seq 1, length 64
16:23:12.175920 IP (tos 0x0, ttl 64, id 60664, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7387, seq 1, length 64
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-w   
Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -roption. Standard output is used if file is ``-''.

 

root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -w malaa.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C8 packets captured
9 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


- You can find below the output file.

 

root@debian-test2:~# ls -l | grep malaa
-rw-r--r-- 1 root root  936 Aug 28 15:39 malaa.cap
root@debian-test2:~#


-C   
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the-w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

 

root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -w malaa.cap -C 20
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-F   
Use file as input for the filter expression. An additional expression given on the command line is ignored.

- we created the below file using nano and added exact MACs addresses we need to sniff or monitoring.

 

------------------------------------------------------------------------------------------------------
  GNU nano 2.2.4                                    File: MAC-Filter.txt                 Modified 

# you can add as many "or ether host MAC-ADDRESS" as needed

ether host 44:37:e6:6d:0d:f0 or ether host 08:00:27:66:75:b7
------------------------------------------------------------------------------------------------------

root@debian-test2:~# cat MAC-Filter.txt
# you can add as many "or ether host MAC-ADDRESS" as needed

ether host 44:37:e6:6d:0d:f0 or ether host 08:00:27:66:75:b7
root@debian-test2:~#

root@debian-test2:~# tcpdump -vv -n icmp -i eth0 -w malaa.cap -F MAC-Filter.txt
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C29 packets captured
29 packets received by filter
0 packets dropped by kernel
root@debian-test2:~#


-r   
Read packets from file (which was created with the -w option). Standard input is used if file is ``-''.

 

root@debian-test2:~# tcpdump -r malaa.cap
reading from file malaa.cap, link-type EN10MB (Ethernet)
16:56:33.129501 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7545, seq 1, length 64
16:56:33.129547 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7545, seq 1, length 64
16:56:34.128615 IP malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7545, seq 2, length 64
16:56:34.128650 IP debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7545, seq 2, length 64
root@debian-test2:~#root@debian-test2:~# tcpdump -n -r malaa.cap
reading from file malaa.cap, link-type EN10MB (Ethernet)
16:56:33.129501 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7545, seq 1, length 64
16:56:33.129547 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7545, seq 1, length 64
16:56:34.128615 IP 192.168.0.198 > 192.168.0.227: ICMP echo request, id 7545, seq 2, length 64
16:56:34.128650 IP 192.168.0.227 > 192.168.0.198: ICMP echo reply, id 7545, seq 2, length 64
root@debian-test2:~# root@debian-test2:~# tcpdump -e -r malaa.cap
reading from file malaa.cap, link-type EN10MB (Ethernet)
15:38:59.054832 44:37:e6:6d:0d:f0 (oui Unknown) > 08:00:27:66:75:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7174, seq 1, length 64
15:38:59.054872 08:00:27:66:75:b7 (oui Unknown) > 44:37:e6:6d:0d:f0 (oui Unknown), ethertype IPv4 (0x0800), length 98: debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7174, seq 1, length 64
15:39:00.053514 44:37:e6:6d:0d:f0 (oui Unknown) > 08:00:27:66:75:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: malaa-NOOR.local > debian-test2-3.local: ICMP echo request, id 7174, seq 2, length 64
15:39:00.053538 08:00:27:66:75:b7 (oui Unknown) > 44:37:e6:6d:0d:f0 (oui Unknown), ethertype IPv4 (0x0800), length 98: debian-test2-3.local > malaa-NOOR.local: ICMP echo reply, id 7174, seq 2, length 64
root@debian-test2:~#

root@debian-test2:~# tcpdump -n -e -r malaa.cap
reading from file malaa.cap, link-type EN10MB (Ethernet)
15:38:59.054832 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: 192.168.0.198 >192.168.0.227: ICMP echo request, id 7174, seq 1, length 64
15:38:59.054872 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: 192.168.0.227 >192.168.0.198: ICMP echo reply, id 7174, seq 1, length 64
15:39:00.053514 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: 192.168.0.198 >192.168.0.227: ICMP echo request, id 7174, seq 2, length 64
15:39:00.053538 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: 192.168.0.227 >192.168.0.198: ICMP echo reply, id 7174, seq 2, length 64
root@debian-test2:~#

root@debian-test2:~# tcpdump -e -n ether host 44:37:e6:6d:0d:f0 -r malaa.cap
reading from file malaa.cap, link-type EN10MB (Ethernet)
15:38:59.054832 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: 192.168.0.198 >192.168.0.227: ICMP echo request, id 7174, seq 1, length 64
15:38:59.054872 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: 192.168.0.227 >192.168.0.198: ICMP echo reply, id 7174, seq 1, length 64
15:39:00.053514 44:37:e6:6d:0d:f0 > 08:00:27:66:75:b7, ethertype IPv4 (0x0800), length 98: 192.168.0.198 >192.168.0.227: ICMP echo request, id 7174, seq 2, length 64
15:39:00.053538 08:00:27:66:75:b7 > 44:37:e6:6d:0d:f0, ethertype IPv4 (0x0800), length 98: 192.168.0.227 >192.168.0.198: ICMP echo reply, id 7174, seq 2, length 64
root@debian-test2:~#


#############################################################################################

######## Sniffing PPPoE layer 2 packets like LCP frames ########

EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the PayLoad of an Ethernet Frame. This field was first defined by the Ethernet II framing networking standard, and later adapted for the IEEE 802.3 Ethernet networking standard.
EtherType numbering generally starts from 0x0800. In modern implementations of Ethernet, the field within the Ethernet frame used to describe the EtherType also can be used to represent the size of the payload of the Ethernet Frame.

0x8863 PPPoE Discovery Stage
0x8864 PPPoE Session Stage

If you want to watch the PPPoE packets, use the following tcpdump commands:

> tcpdump -i eth0 -n ether proto 0x8863 '||' ether proto 0x8864

We will run tcpdump on eth0 to look at PADI,PADO,PADR,PADS and PADT and should see the below result.

 

root@debian-test2:~# tcpdump -i eth0 -n ether proto 0x8863 '||' ether proto 0x8864
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:47:25.173507 PPPoE PADI [Service-Name] [Host-Uniq 0xCF0A0000]
12:47:25.173609 PPPoE PADO [AC-Name "nzhmlbld06l"] [Service-Name] [AC-Cookie 0x18F0FDB21859639108D61444C8A611F4D2080000] [Host-Uniq 0xCF0A0000]
12:47:25.173661 PPPoE PADO [AC-Name "isp"] [Service-Name] [AC-Cookie 0xF07AE7E13B3BDFACCCE03C14A0A60C7D49090000] [Host-Uniq 0xCF0A0000]
12:47:25.173777 PPPoE PADR [Service-Name] [Host-Uniq 0xCF0A0000] [AC-Cookie 0x18F0FDB21859639108D61444C8A611F4D2080000]
12:47:25.174239 PPPoE PADS [ses 0xa] [Service-Name] [Host-Uniq 0xCF0A0000]
12:47:25.174929 PPPoE  [ses 0xa] LCP, Conf-Request (0x01), id 1, length 21
12:47:26.180431 PPPoE  [ses 0xa] LCP, Conf-Request (0x01), id 1, length 16
12:47:26.180676 PPPoE  [ses 0xa] LCP, Conf-Ack (0x02), id 1, length 16
12:47:28.177393 PPPoE  [ses 0xa] LCP, Conf-Request (0x01), id 1, length 21
12:47:28.179020 PPPoE  [ses 0xa] LCP, Conf-Reject (0x04), id 1, length 11
12:47:28.179295 PPPoE  [ses 0xa] LCP, Conf-Request (0x01), id 2, length 16
12:47:28.181036 PPPoE  [ses 0xa] LCP, Conf-Ack (0x02), id 2, length 16
12:47:28.181045 PPPoE  [ses 0xa] LCP, Echo-Request (0x09), id 0, length 10
12:47:28.181464 PPPoE  [ses 0xa] LCP, Echo-Request (0x09), id 0, length 10
12:47:28.181638 PPPoE  [ses 0xa] LCP, Term-Request (0x05), id 3, length 34
12:47:28.182984 PPPoE  [ses 0xa] LCP, Echo-Reply (0x0a), id 0, length 10
12:47:28.182992 PPPoE  [ses 0xa] LCP, Term-Ack (0x06), id 3, length 6
12:47:31.217784 PPPoE PADT [ses 0xa] [Generic-Error "RP-PPPoE: Child pppd process terminated"]> tcpdump -i eth0 ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864


Will show you PPPoE packets. 8863 is the ether type for Active Discovery and 8864 is the ether type for PPPoE sessions.

 

root@malaa-NOOR:~# tcpdump -i eth0 ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@malaa-NOOR:~#root@debian-test2:~#  tcpdump pppoes -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytesPPPoE  [ses 0xd5f] LCP, Conf-Request (0x01), id 1, length 16
PPPoE  [ses 0xd5f] LCP, Conf-Request (0x01), id 233, length 21
PPPoE  [ses 0xd5f] LCP, Conf-Ack (0x02), id 1, length 16
PPPoE  [ses 0xd5f] LCP, Conf-Ack (0x02), id 233, length 21
PPPoE  [ses 0xd5f] LCP, Echo-Request (0x09), id 0, length 10
PPPoE  [ses 0xd5f] CHAP, Challenge (0x01), id 1, Value 596b047f0ae432c659d3fa87664b9876, Name a919-arb01
PPPoE  [ses 0xd5f] CHAP, Response (0x02), id 1, Value c9cf76a0089b655f54fd5433ad34420b, Name EXAMPLE@example
PPPoE  [ses 0xd5f] LCP, Echo-Reply (0x0a), id 0, length 10
PPPoE  [ses 0xd5f] CHAP, Success (0x03), id 1, Msg CHAP authentication success, unit 8020
PPPoE  [ses 0xd5f] IPCP, Conf-Request (0x01), id 29, length 12
PPPoE  [ses 0xd5f] IPCP, Conf-Request (0x01), id 1, length 12
PPPoE  [ses 0xd5f] IPCP, Conf-Ack (0x02), id 29, length 12
PPPoE  [ses 0xd5f] IPCP, Conf-Nack (0x03), id 1, length 12
PPPoE  [ses 0xd5f] IPCP, Conf-Request (0x01), id 2, length 12
PPPoE  [ses 0xd5f] IPCP, Conf-Ack (0x02), id 2, length 12
PPPoE  [ses 0xd5f] LCP, Echo-Request (0x09), id 0, length 10
PPPoE  [ses 0xd5f] LCP, Echo-Reply (0x0a), id 0, length 10

root@malaa-NOOR:~# tcpdump -vv -n -e pppoes -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@malaa-NOOR:~#


#############################################################################################

Filter on encapsulated content (ICMP within PPPoE)

Capturing packets from PPPoE session. For example: we mirror a link that connects xDSL modem and home PC or router. Mirrored packets are ethernet frames with PPPoE/IP packets encapsulated. In the following example, we are looking for ICMP packets in PPPoE frames. A simple command like

# tcpdump -v -n icmp

will not produce expected results, because packets that we monitor are being encapsulated into a PPPoE frames. Of course, tcpdump can't locate IP protocol == ICMP at normal offset in an ethernet frame. We must therefore take intoaccount the additional headers: 14 bytes for ethernet and 8 bytes for PPPoE. IP protocol is located at offset 9 in the IP header, which gives us offset 31 in the mirrored ethernet frame. Therefore, ICMP packets (protocol 1) are captured with

# tcpdump -v -n ether[31] = 1

root@debian-test2:~# tcpdump -v -n ether[31] = 1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:42:33.751713 unknown STP version, length 67
12:42:36.884914 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.1 is-at 00:21:55d:29:e0, length 46
12:42:46.607865 unknown STP version, length 67
12:42:59.864181 unknown STP version, length 67
12:43:12.570469 unknown STP version, length 67
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
root@debian-test2:~# root@malaa-NOOR:~# tcpdump -vv -e -n ether[31] = 1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:33:57.782950 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.69 tell 192.168.0.1, length 46
23:33:59.621120 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.174 tell 192.168.0.1, length 46
23:34:00.995243 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.210 tell 192.168.0.1, length 46
23:34:01.788132 2c:41:383:3d:14 > 01:80:c2:00:00:21, 802.3, length 84: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: unknown STP version, length 67
23:34:02.782481 00:21:55d:29:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.69 tell 192.168.0.1, length 46
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
root@malaa-NOOR:~#