2,306
edits
Changes
Jump to navigation
Jump to search
Line 20:
Line 20: + − You can skip additional ports too:+ + + + + + + + + + + + + + + − + + + + + + + + + + + + + + + + + + − You can also use ip or hostname:+ + + + + + + + + + + + + − tcpdump -i eth1 port not 22 and host 1.2.3.4+ +
→non icmp traffic going to a specific ip
-E : Decrypt IPSEC traffic by providing an encryption key.</nowiki>
-E : Decrypt IPSEC traffic by providing an encryption key.</nowiki>
=== 1500 bytes capture excluding port 22 ===
tcpdump -i eth1 -s 1500 port not 22
tcpdump -i eth1 -s 1500 port not 22
=== Skip ports ===
tcpdump -i eth1 -s 1500 port not 22 and port not 53
=== Filter ip or hostname ===
tcpdump -i eth1 port not 22 and host 1.2.3.4
=== Raw output view ===
tcpdump -ttttnnvvS
=== Hex output ===
tcpdump -nnvXSs 0 -c1 icmp
=== Filter by source or destination
tcpdump src 2.3.4.5
tcpdump dst 3.4.5.6
tcpdump -i eth1 -s 1500 port not 22 and port not 53
=== Filter by net ===
tcpdump net 1.2.3.0/24
=== Filter by port ===
tcpdump port 3389
tcpdump src port 3389
=== Filter by protocol ===
tcpdump icmp
=== Filter by packet size ===
tcpdump less 32
tcpdump greater 64
tcpdump <= 128
=== Read/Write File ===
==== Write ====
tcpdump port 80 -w capture_file
==== Read ====
tcpdump -r capture_file
== Combinations ==
* AND
and or &&
* OR
or or ||
* EXCEPT
not or !
=== traffic from 10.5.2.3 going to any host on port 3389 ===
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
=== Traffic from one network to another ===
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
=== non icmp traffic going to a specific ip ===
tcpdump dst 192.168.0.2 and src net and not icmp
== More At ==
https://danielmiessler.com/study/tcpdump/#dns