Created Sun May, 26 2019 at 01:06AM
tcpdump -i eth0
This is useful when testing static routing. Like when you set a route through a firewall and want to ensure it's really being sent to the right location.
sudo tcpdump icmp -e -v
sudo tcpdump ether dst ff:ee:b4:71:cb:33 -e -v
tcpdump host 126.96.36.199
tcpdump src 188.8.131.52 tcpdump dst 184.108.40.206
tcpdump net 220.127.116.11/24
tcpdump -c 1 -X icmp
tcpdump port 3389 tcpdump src port 1025
tcpdump less 32 tcpdump greater 64 tcpdump <= 128
tcpdump port 80 -w capture_file.pcap # Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already. tcpdump -r capture_file.pcap
Here are some additional tcpdump options.
|-X||Show the packet’s contents in both hex and ascii.|
|-XX||Same as -X, but also shows the ethernet header.|
|-D||Show the list of available interfaces|
|-l||Line-readable output (for viewing as you save, or sending to other commands)|
|-q||Be less verbose (more quiet) with your output.|
|-t||Give human-readable timestamp output.|
|-tttt||Give maximally human-readable timestamp output.|
|-i eth0||Listen on the eth0 interface.|
|-vv||Verbose output (more v’s gives more output).|
|-c||Only get x number of packets and then stop.|
|-s||Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are inte|
|-S||Print absolute sequence numbers.|
|-e||Get the ethernet header as well.|
|-q||Show less protocol information.|
|-E||Decrypt IPSEC traffic by providing an encryption key.|
tcpdump -nnvvS src 10.0.0.1 and dst port 3389
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
tcpdump dst 192.168.0.2 and src net and not icmp
sudo tcpdump host 172.21.50.3 -i eth1 -vv
tcpdump -vvAs0 port 53
tcpdump -vvAs0 port ftp or ftp-data
tcpdump -vvAs0 port 123
There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.
tcpdump 'ip & 128 != 0'
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '