Created Sun May, 26 2019 at 01:06AM
tcpdump -i eth0
This is useful when testing static routing. Like when you set a route through a firewall and want to ensure it's really being sent to the right location.
sudo tcpdump icmp -e -v
sudo tcpdump ether dst ff:ee:b4:71:cb:33 -e -v
tcpdump host 1.2.3.4
tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1
tcpdump net 1.2.3.0/24
tcpdump -c 1 -X icmp
tcpdump port 3389
tcpdump src port 1025
tcpdump icmp
tcpdump ip6
tcpdump less 32
tcpdump greater 64
tcpdump <= 128
tcpdump port 80 -w capture_file.pcap
# Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
tcpdump -r capture_file.pcap
Here are some additional tcpdump options.
Flag | Function |
---|---|
-X | Show the packet’s contents in both hex and ascii. |
-XX | Same as -X, but also shows the ethernet header. |
-D | Show the list of available interfaces |
-l | Line-readable output (for viewing as you save, or sending to other commands) |
-q | Be less verbose (more quiet) with your output. |
-t | Give human-readable timestamp output. |
-tttt | Give maximally human-readable timestamp output. |
-i eth0 | Listen on the eth0 interface. |
-vv | Verbose output (more v’s gives more output). |
-c | Only get x number of packets and then stop. |
-s | Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are inte |
-S | Print absolute sequence numbers. |
-e | Get the ethernet header as well. |
-q | Show less protocol information. |
-E | Decrypt IPSEC traffic by providing an encryption key. |
tcpdump -nnvvS src 10.0.0.1 and dst port 3389
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
tcpdump dst 192.168.0.2 and src net and not icmp
sudo tcpdump host 172.21.50.3 -i eth1 -vv
tcpdump -vvAs0 port 53
tcpdump -vvAs0 port ftp or ftp-data
tcpdump -vvAs0 port 123
There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.
tcpdump 'ip[6] & 128 != 0'
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '