Wednesday, August 19, 2015

Easy TCP/IP packet capture with tcpdump

Get list of interfaces that tcpdump can listen on:
tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on interface eth0 and record the capure to a .pcap file:

tcpdump -w capture.pcap -i eth0

Display packet content of capture file capure.pcap:

tcpdump -r capture.cap

Limit the capure to 100 packets:

tcpdump -c 100 -i eth0

Display IP addresses and port numbers instead of domain and service names when capturing packes(some systems require -nn to be specified to display port numbers):

tcpdump -n -i eth0

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capure any packets where the src host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capure any packets where the source OR destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is between 1 and 1023 inclusive. Display IP addresses and
port numbers:

tcpdump -n dst portrange 1-1023

Capture ONLY tcp packets where destination port is between 1 and 1023 inclusive:

tcpdump -n tcp dst portrange 1-1023

Capture ONLY udp packets where the destination port is between 1 and 1023 inclusive.

tcpdump -n udp dst portrange 1-1023



Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast ore multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0



Posted by at

No comments:

New comments are not allowed.

Subscribe to: Post Comments (Atom)