Created Sun May, 26 2019 at 01:06AM

Basics

Dump everything coming into the interface

tcpdump -i eth0

Filter ICMP traffic showing MAC addresses

This is useful when testing static routing. Like when you set a route through a firewall and want to ensure it's really being sent to the right location.

sudo tcpdump icmp -e -v

Filter by MAC Address

sudo tcpdump ether dst ff:ee:b4:71:cb:33 -e -v

Filter by IP

tcpdump host 1.2.3.4

Filter by Source / Destination IP

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Filtering by entire network

tcpdump net 1.2.3.0/24

Packet Contents / Hex Dump

tcpdump -c 1 -X icmp

Filter by port

tcpdump port 3389 
tcpdump src port 1025

Filter by protocol

tcpdump icmp

Filter only IPv6 Traffic

tcpdump ip6

Filter by packet size

tcpdump less 32 
tcpdump greater 64 
tcpdump <= 128

Reading / Writing (Pcap) Packet Captures to file

tcpdump port 80 -w capture_file.pcap
# Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
tcpdump -r capture_file.pcap

Here are some additional tcpdump options.

Flag	Function
-X	Show the packet’s contents in both hex and ascii.
-XX	Same as -X, but also shows the ethernet header.
-D	Show the list of available interfaces
-l	Line-readable output (for viewing as you save, or sending to other commands)
-q	Be less verbose (more quiet) with your output.
-t	Give human-readable timestamp output.
-tttt	Give maximally human-readable timestamp output.
-i eth0	Listen on the eth0 interface.
-vv	Verbose output (more v’s gives more output).
-c	Only get x number of packets and then stop.
-s	Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are inte
-S	Print absolute sequence numbers.
-e	Get the ethernet header as well.
-q	Show less protocol information.
-E	Decrypt IPSEC traffic by providing an encryption key.

Advanced

All traffic from 10.0.0.1 going to any host on port 3389

tcpdump -nnvvS src 10.0.0.1 and dst port 3389

From one network to another

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

All non-icmp traffic

tcpdump dst 192.168.0.2 and src net and not icmp

sudo tcpdump host 172.21.50.3 -i eth1 -vv

DNS traffic

tcpdump -vvAs0 port 53

FTP traffic

tcpdump -vvAs0 port ftp or ftp-data

NTP traffic

tcpdump -vvAs0 port 123

"Evil bit" traffic

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

tcpdump 'ip[6] & 128 != 0'

Find cleartext credentials

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

References

(https://danielmiessler.com/study/tcpdump/)[Daniel Miessler's Excellent TCP Dump notes]

tcpdump notes