tcpdump
Filter Examples
Check out tcpdump - Tutorial for many usage examples!
# Filter port
tcpdump port 80
tcpdump src port 1025
tcpdump dst port 389
tcpdump portrange 21-23
# Filter source or destination IP
tcpdump src 10.0.0.1
tcpdump dest 10.0.0.2
# Filter everything on network
tcpdump net 1.2.3.0/24
# Logically operators
tcpdump src port 1025 and tcp
# Provide full hex dump of captured HTTP packages
tcpdump -s0 -x port 80
# Filter TCP flags (e.g. RST)
tcpdump 'tcp[13] & 4!=0'
Verbose Trace
Be verbose and print 1500 bytes package hex dumps:
tcpdump -i eth0 -nN -vvv -xX -s 1500 port <some port>
Non-promiscous mode
tcpdump -e ...
Packet sniffing with tcpdump
General options
| Task | Option |
|---|---|
| Write packets to file (1) | -w FILE |
| Read from specified interface | -i IFACE |
| Don’t resolve adresses to names | -n |
| Don’t resolve adresses and port numbers | -nn |
| Verbose output | -v, -vv, -vvv |
(1) This saved file (.pcap extension is customary) can then be imported in Wireshark for further study.
Basic usage examples
| Task | Command |
|---|---|
| List available network interfaces | tcpdump -D |
| Packets to/from HOST | tcpdump host HOST |
| Packets to HOST | tcpdump dst HOST |
| Packets from HOST | tcpdump src HOST |
| Packets to/from PORT | tcpdump port PORT |
| Ping (echo request/reply) | tcpdump icmp |
| Only UDP traffic | tcpdump udp |
Advanced usage examples
- Capture traffic on a remote server with tcpdump, pipe to Wireshark:
ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i
- Capture FTP credentials and commands:
sudo tcpdump -nn -v port ftp or ftp-data
- Monitor DHCP request and reply:
sudo tcpdump -v -n port 67 or 68