TCPDUMP MANUAL

  • Basic communication // see the basics without many options
    # tcpdump -nS
  • Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
    # tcpdump -nnvvS
  • A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
    # tcpdump -nnvvXS
  • Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
    # tcpdump -nnvvXSs 1514

 

 

Recipes

 

  1. host // look for traffic based on IP address (also works with hostname if you’re not using -n)
    # tcpdump host 1.2.3.4
  2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
    # tcpdump src 2.3.4.5
    # tcpdump dst 3.4.5.6
  3. net // capture an entire network using CIDR notation
    # tcpdump net 1.2.3.0/24
  4. proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
    # tcpdump icmp
  5. port // see only traffic to or from a certain port
    # tcpdump port 3389
  6. src, dst port // filter based on the source or destination port
    # tcpdump src port 1025
    # tcpdump dst port 3389

TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn’t to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22:
# tcpdump 'src 10.0.2.4 and \(dst port 3389 or 22\)'

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'

 

Display all IPv6 Traffic:

# tcpdump ip6

  • Show all traffic with both SYN and RST flags set: (should never happen)# tcpdump ‘tcp[13] = 6′
  • Show all traffic with the “evil bit” set:# tcpdump ‘ip[6] & 128 != 0′

    • Possibly related posts: (automatically generated)

    Posted by LinuxGuruz on December 20, 2008 at 1:34 pm
    Filed under: LINUX, SYSTEM UTILITY  |  Leave a comment  |  Trackback URI

    Previous Entry:
    Next Entry:

    Leave a Comment

    You must be logged in to post a comment.