tcpdump - dump traffic on a network

tcpdump

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
		[ -Z user ] [ expression ]

    -i any : Listen on all interfaces just to see if you’re seeing any traffic.
    -i eth0 : Listen on the eth0 interface.
    -D : Show the list of available interfaces
    -n : Don’t resolve hostnames.
    -nn : Don’t resolve hostnames or port names.
    -q : Be less verbose (more quiet) with your output.
    -X : Show the packet’s contents in both hex and ASCII.
    -XX : Same as -X, but also shows the ethernet header.
    -v, -vv, -vvv : Increase the amount of packet information you get back.
    -c : Only get x number of packets and then stop.
    icmp : Only get ICMP packets.
    -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
    -S : Print absolute sequence numbers.
    -e : Get the ethernet header as well.
    -q : Show less protocol information.
    -E : Decrypt IPSEC traffic by providing an encryption key.

Examples

tcpdump -nnvvS
tcpdump -nnvvXSs 1514
tcpdump -D

tcpdump -v icmp
tcpdump -i eth0 not broadcast 

tcpdump -vv -n host 192.168.1.1
tcpdump -vv src 192.168.1.1
tcpdump -vv dst 192.168.1.1
tcpdump net 192.168.1.0/24

tcpdump port 3389
tcpdump portrange 21-23
tcpdump src port 1025 and tcp

tcpdump -vv -i eth0 'port 22'
tcpdump -l -i eth0 'port 514' |  awk '{print $3}' 
tcpdump -n -i eth0 not tcp port 443 and not tcp port 22

tcpdump -i eth0 -n  ip | awk '{ print gensub(/(.*)\..*/,"\\1","g",$3), $4, gensub(/(.*)\..*/,"\\1","g",$5) }'
tcpdump -n -i eth0 | egrep -v "21.34.141|62.2.21"
tcpdump -n -i eth0 not tcp port 443 and not tcp port 22 and not icmp and not udp port 53
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
tcpdump src 10.0.2.4 and (dst port 3389 or 22)


tcpdump -n -i eth0 -A -x dst port 443 and greater 100
tcpdump -s 1514 -evvv    # 1514 bytes - Ethernet header = 1500 bytes

tcpdump portrange 21-23 
tcpdump less 32 
tcpdump greater 128 

tcpdump -s 1514 port 80 -w capture_file
tcpdump -r capture_file

More examples

All URGENT (URG) packets…

# tcpdump 'tcp[13] & 32!=0'

All ACKNOWLEDGE (ACK) packets…

# tcpdump 'tcp[13] & 16!=0'

All PUSH (PSH) packets…

# tcpdump 'tcp[13] & 8!=0'

All RESET (RST) packets…

# tcpdump 'tcp[13] & 4!=0'

All SYNCHRONIZE (SYN) packets…

# tcpdump 'tcp[13] & 2!=0'

All FINISH (FIN) packets…

# tcpdump 'tcp[13] & 1!=0'

All SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…

# tcpdump 'tcp[13]=18'

IPv6 traffic

# tcpdump ip6

Packets with both the RST and SYN flags set (why?)

# tcpdump 'tcp[13] = 6'

Traffic with the ‘Evil Bit’ Set

# tcpdump 'ip[6] & 128 != 0'

tcpdump.

synpackets.

icmp.