Technotes for future me


Filter Examples

Check out tcpdump - Tutorial for many usage examples!

    # Filter port
    tcpdump port 80
    tcpdump src port 1025 
    tcpdump dst port 389
    tcpdump portrange 21-23

    # Filter source or destination IP
    tcpdump src
    tcpdump dest

    # Filter  everything on network 
    tcpdump net

    # Logically operators
    tcpdump src port 1025 and tcp 

    # Provide full hex dump of captured HTTP packages
    tcpdump -s0 -x port 80

    # Filter TCP flags (e.g. RST)
    tcpdump 'tcp[13] & 4!=0'

Verbose Trace

Be verbose and print 1500 bytes package hex dumps:

tcpdump -i eth0 -nN -vvv -xX -s 1500 port <some port>

Non-promiscous mode

tcpdump -e ...

Packet sniffing with tcpdump

General options

Write packets to file (1)-w FILE
Read from specified interface-i IFACE
Don’t resolve adresses to names-n
Don’t resolve adresses and port numbers-nn
Verbose output-v, -vv, -vvv

(1) This saved file (.pcap extension is customary) can then be imported in Wireshark for further study.

Basic usage examples

List available network interfacestcpdump -D
Packets to/from HOSTtcpdump host HOST
Packets to HOSTtcpdump dst HOST
Packets from HOSTtcpdump src HOST
Packets to/from PORTtcpdump port PORT
Ping (echo request/reply)tcpdump icmp
Only UDP traffictcpdump udp

Advanced usage examples

  • Capture traffic on a remote server with tcpdump, pipe to Wireshark:
    • ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i
  • Capture FTP credentials and commands:
    • sudo tcpdump -nn -v port ftp or ftp-data
  • Monitor DHCP request and reply:
    • sudo tcpdump -v -n port 67 or 68
Last updated on 31 Jan 2021
Published on 25 Dec 2019
Edit on GitHub