/* Ajith - Syntax Higlighter - End ----------------------------------------------- */

6.14.2012

TCPDUMP cheat sheet



  1. Listing possible network interfaces on the system

    tcpdump -D

    E.g.
    $ tcpdump -D
    1.eth0
    2.eth1
    3.usbmon1 (USB bus number 1)
    4.eth2

  2. Capture packets from a particular interface

    tcpdump -i interface-name

    E.g. To capture packets from interface eth1 - tcpdump -i eth1

  3. Capture only N number of packets

    tcpdump -c N

    E.g. To capture 10 packets from interface eth1 - tcpdump -i eth1 -c 10

  4. Capture the packets and write into a file

    tcpdump -w file.pcap

    E.g. tcpdump -i eth1 -w tmp.pcap

  5. To capture and store network frames full-length

    tcpdump -s 0

    E.g. tcpdump -i eth1 -w tmp.pcap -s 0

  6. Reading the packets from a saved file

    tcpdump -r file.pcap

    E.g.tcpdump -tttt -r tmp.pcap

  7. Capture packets with proper readable timestamp

    tcpdump -tttt

    E.g. tcpdump -i eth1 -tttt

Filter Options
    Possible qualifiers:

    type: host, net , port and portrange.
    E.g., ‘host foo’, ‘net 128.3’, ‘port 20’, ‘portrange 6000-6008’.

    dir: src, dst, src or dst and src and dst.
    E.g., ‘src foo’, ‘dst net 128.3’, ‘src or dst port ftp-data’. If there is no dir qualifier, src or dst is assumed.

    proto: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
    E.g., ‘ether src foo’, ‘arp net 128.3’, ‘tcp port 21’, ‘udp portrange 7000-7009’.
    If there is no proto qualifier, all protocols are assumed.

  1. Read packets longer than N bytes

    tcpdump greater N

    E.g. tcpdump -i eth1 -w tmp.pcap greater 1024

  2. Receive only the packets of a specific protocol type - fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp

    E.g tcpdump -i eth1 arp

  3. Receive packets flows on a particular port

    tcpdump port PORT_NO

    E.g. tcpdump -i eth1 port 22

  4. Capture packets for particular destination IP and Port

    tcpdump dst IPADDRESS and port PORT-NO

    E.g. tcpdump -i eth1 dst 10.181.140.216 and port 22

Display options
  1. Display more packet information

    tcpdump -vvv

    E.g. tcpdump -i eth1 -vvv

  2. Display link level header of every packet: -e

    tcpdump -e

    E.g.

    tcpdump -i eth1 -e -t
    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    52:54:00:e1:1c:10 (oui Unknown) > 01:80:c2:00:00:00 (oui Unknown), 802.3, length 60: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
    52:54:00:e1:1c:10 (oui Unknown) > 01:80:c2:00:00:00 (oui Unknown), 802.3, length 60: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43

  3. Don’t print a timestamp on each dump line: -t

    tcpdump -t

    E.g.

    Without using -t option we can see the below output timestamp is dumped (In bold letters).

    tcpdump -i eth2

    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    08:44:51.295229 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
    08:44:53.296795 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43

    tcpdump -i eth2 -t

    listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
    STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
    STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43

  4. Display packets with IP address instead of DNS names: -n

    Basically tcpdump converts the plain address to DNS names. Using n option we can make tcpdump to display ip address.

    tcpdump -n

    E.g. tcpdump -i eth1 -n

  5. Display Captured Packets in ASCII

    tcpdump -A

    E.g. tcpdump -i eth1 -A

  6. Display Captured Packets in HEX and ASCII

    tcpdump -XX