Difference between revisions of "Linux Command: tcpdump"

Options

-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 : Listen on the eth0 interface.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-A : Display output in ASCII.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-X : Show the packet’s contents in both hex and ascii.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

1500 bytes capture excluding port 22

tcpdump -i eth1  -s 1500 port not 22

Skip ports

tcpdump -i eth1  -s 1500 port not 22 and port not 53

Filter ip or hostname

tcpdump -i eth1 port not 22 and host 1.2.3.4

Raw output view

tcpdump -ttttnnvvS

Hex output

tcpdump -nnvXSs 0 -c1 icmp

=== Filter by source or destination

tcpdump src 2.3.4.5 
tcpdump dst 3.4.5.6

Filter by net

tcpdump net 1.2.3.0/24

Filter by port

tcpdump port 3389 
tcpdump src port 3389 

Filter by protocol

tcpdump icmp