tcpdump

Posted on Edited on In Views: Symbols count in article: 2.2k Reading time ≈ 2 mins.
some common tcpdump usages

some common tcpdump cli

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Reading / Writing Captures to a File 
tcpdump port 80 -w capture_file 

# read PCAP files by using the -r switch 
tcpdump -r capture_file 

# port 2000 of any nic  
tcpdump -i any port 2000 –nn 

# Everything on an interface 
tcpdump -i eth0 

# Find Traffic by IP 
# One of the most common queries, using host, you can see traffic that’s going to or from 1.1.1.1. 
tcpdump host 1.1.1.1 

# Filtering by Source and/or Destination 
tcpdump src 1.1.1.1  
tcpdump dst 1.0.0.1 

# Finding Packets by Network 
tcpdump net 1.2.3.0/24 

# Get Packet Contents with Hex Output 
tcpdump -c 1 -X icmp 

# Show Traffic Related to a Specific Port 
tcpdump port 3389  
tcpdump src port 1025 

# Show Traffic of One Protocol 
tcpdump icmp 

# Show only IP6 Traffic 
tcpdump ip6 

# Find Traffic Using Port Ranges 
tcpdump portrange 21-23 

# Find Traffic Based on Packet Size 
tcpdump less 32  
tcpdump greater 64  
tcpdump <= 128 

# ==================================

# It’s All About the Combinations 

# ========= AND =========
# and or && 

# ========= OR ========= 
# or or || 

# ========= EXCEPT =========
# not or ! 

# From specific IP and destined for a specific Port 
# Let’s find all traffic from 10.5.2.3 going to any host on port 3389. 
tcpdump -nnvvS src 10.5.2.3 and dst port 3389 

# From One Network to Another 
# Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks
# and we’re showing hex output with no hostname resolution and one level of extra verbosity. 
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16 

# Non ICMP Traffic Going to a Specific IP 
# This will show us all traffic going to 192.168.0.2 that is not ICMP. 
tcpdump dst 192.168.0.2 && src ! icmp 
tcpdump dst 192.168.0.2 and src not icmp

# catch packages from(to) eth0 or eth1
tcpdump -vi eth0 || eth1 -w tmp.pcap

Advanced

match MAC address & VLAN

  • ether host - capture packets sent from and to
  • ether src - capture packets sent from
  • ether dst - capture packets sent to
  • vlan - match

match protocol

Match protocols in L3 header:

  • ip proto - PROTO: icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp, or tcp

Follow are abbreviations:

  • icmp = proto icmp
  • tcp = proto tcp
  • udp = proto udp

Match protocols in L2 header:

  • ether proto - PROTO: ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui

Follow are abbreviations:

  • ip = ether proto ip
  • ip6 = ether proto ip6
  • arp = ether proto arp
  • rarp = ether proto rarp
1
2
tcpdump -i eth0 arp
tcpdump -i eth0 icmp