Options<\/strong><\/p>\nBelow are some tcpdump options (with useful examples) that will help you working with the tool. They\u2019re very easy to forget and\/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)<\/p>\n
The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
\nThe second is -X, which displays both hex and ascii content within the packet.
\nThe final one is -S, which changes the display of sequence numbers to absolute rather than relative.<\/p>\n
-i any : Listen on all interfaces just to see if you\u2019re seeing any traffic.
\n-n : Don\u2019t resolve hostnames.
\n-nn : Don\u2019t resolve hostnames or port names.
\n-X : Show the packet\u2019s contents in both hex and ASCII.
\n-XX : Same as -X, but also shows the ethernet header.
\n-v, -vv, -vvv : Increase the amount of packet information you get back.
\n-c : Only get x number of packets and then stop.
\n-S : Print absolute sequence numbers.
\n-e : Get the ethernet header as well.
\n-q : Show less protocol information.
\n-E : Decrypt IPSEC traffic by providing an encryption key.
\n-s : Set the snaplength, i.e. the amount of data that is being captured in bytes
\n-c : Only capture x number of packets, e.g. \u2018tcpdump -c 3?<\/p>\n
1. Basic communication<\/strong> \/\/ see the basics without many options<\/p>\n\n
\n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump -nS<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n2. Basic communication (very verbose)<\/strong> \/\/ see a good amount of traffic, with verbosity and no name help<\/p>\n\n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump -nnvvS<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n3. A deeper look at the traffic<\/strong> \/\/ adds -X for payload but doesn\u2019t grab any more of the packet<\/p>\n\n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump -nnvvXS<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n4. Heavy packet viewing<\/strong> \/\/ the final \u201cs\u201d increases the snaplength, grabbing the whole packet<\/p>\n\n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump -nnvvXSs 1514<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n <\/p>\n Expressions<\/strong>
\n* host \/\/ look for traffic based on IP address (also works with hostname if you\u2019re not using -n)<\/p>\n\n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump host 192.168.1.1<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* src, dst \/\/ find traffic from only a source or destination (eliminates one side of a host conversation)<\/p>\n \n \n\n\n\n1\r\n2<\/pre>\n<\/td>\n\ntcpdump src 192.168.1.1\r\ntcpdump dst 10.1.100.3<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* net \/\/ capture an entire network using CIDR notation<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump net 1.2.3.0\/24<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* proto \/\/ works for tcp, udp, and icmp. Note that you don\u2019t have to type proto<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump icmp<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* port \/\/ see only traffic to or from a certain port<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump port 3389<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* src, dst port \/\/ filter based on the source or destination port<\/p>\n \n \n\n\n\n1\r\n2<\/pre>\n<\/td>\n\ntcpdump src port 1025\r\ntcpdump dst port 389<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* src\/dst, port, protocol \/\/ combine all three<\/p>\n \n \n\n\n\n1\r\n2<\/pre>\n<\/td>\n\ntcpdump src port 1025 and tcp\r\ntcpdump udp and src port 53<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* Port Ranges \/\/ see traffic to any port in a range<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump portrange 21-23<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n* Packet Size Filter \/\/ only see packets below or above a certain size (in bytes)<\/p>\n \n \n\n\n\n1\r\n2<\/pre>\n<\/td>\n\ntcpdump less 32\r\ntcpdump greater 128<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n[ You can use the symbols for less than, greater than, and less than or equal \/ greater than or equal signs as well. ]
\n\/\/ filtering for size using symbols<\/p>\n \n \n\n\n\n1\r\n2<\/pre>\n<\/td>\n\ntcpdump > 32\r\ntcpdump <= 128<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n <\/p>\n Writing to a File<\/strong>
\nCapture all Port 80 traffic to a file:<\/p>\n\n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump -i eth1 port 80 -w http_traffic<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nRead Captured Traffic back into tcpdump:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump -r http_traffic<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nYou can use it for \u201cscreen\u201d and later for graphical wireshark analyzes.<\/p>\n <\/p>\n Getting Creative<\/strong><\/p>\nExpressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you\u2019re looking for. There are three ways to do combination:<\/p>\n 1. AND<\/strong>
\nand or &&
\n2. OR<\/strong>
\nor or ||
\n3. EXCEPT<\/strong>
\nnot or !<\/p>\nTraffic that\u2019s from 192.168.1.1 AND destined for ports 3389 or 22<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nAdvanced<\/strong>
\nShow me all URG packets:<\/p>\n\n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] & 32 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow me all ACK packets:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] & 16 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow me all PSH packets:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] & 8 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow me all RST packets:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] & 4 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow me all SYN packets:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] & 2 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow me all FIN packets:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] & 1 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow me all SYN-ACK packets:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] = 18'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow all traffic with both SYN and RST flags set: (that should never happen)<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'tcp[13] = 6'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nShow all traffic with the \u201cevil bit\u201d set:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump 'ip[6] & 128 != 0'<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nDisplay all IPv6 Traffic:<\/p>\n \n \n\n\n\n1<\/pre>\n<\/td>\n\ntcpdump ip6<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |