🖥️tcpdump

➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the tcpdump command with important options and switches using examples.

  21 minute read  

▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁

#    ████████╗ ██████╗██████╗ ██████╗ ██╗   ██╗███╗   ███╗██████╗ 
#    ╚══██╔══╝██╔════╝██╔══██╗██╔══██╗██║   ██║████╗ ████║██╔══██╗
#       ██║   ██║     ██████╔╝██║  ██║██║   ██║██╔████╔██║██████╔╝
#       ██║   ██║     ██╔═══╝ ██║  ██║██║   ██║██║╚██╔╝██║██╔═══╝ 
#       ██║   ╚██████╗██║     ██████╔╝╚██████╔╝██║ ╚═╝ ██║██║     
#       ╚═╝    ╚═════╝╚═╝     ╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     
                

###############
# Basic Usage #
###############

#Capture packets on a particular interface (eth0)
#Note that tcpdump (without the '-i eth0') is also valid if you are only using one interface
tcpdump -i eth0

#Capture packets with more detailed output
tcpdump -i eth0 -nnvvS

#Display captured packets in both HEX and ASCII format
tcpdump -XX -i eth0

#Write captured packets into a file (can be read by tools such as Wireshark, Snort, etc)
tcpdump -w yourfilename.pcap -i eth0

#Read packets from a saved packet capture file
tcpdump -tttt -r yoursavedfile.pcap

#Display IP addresses instead of hostnames when capturing packets
tcpdump -n -i eth0

#Capture packets from a particular source/destination IP address
tcpdump src 192.168.1.1
tcpdump dst 192.168.1.1

#Capture packets from a particular source/destination port number
tcpdump src port 53
tcpdump dst port 21

#Capture an entire network's traffic using CIDR notation
tcpdump net 192.168.1.0/24

#Capture traffic to or from a port
tcpdump port 3389

#Display captured packets above or below a certain size (in bytes)
tcpdump less 64
tcpdump greater 256

##################
# Advanced Usage #
##################

#More complex statements can be formed with the use of logical operators: and(&&), or(||), not(!)
#Examples:

#Capture all traffic from 192.168.1.10 with destination port 80 (with verbose output)
tcpdump -nnvvS and src 192.168.1.10 and dst port 80

#Capture traffic originating from the 172.16.0.0/16 network with destination network 192.168.1.0/24 or 10.0.0.0/8
tcpdump src net 172.16.0.0/16 and dst net 192.168.1.0/24 or 10.0.0.0/8

#Capture all traffic originating from host H1 that isn't going to port 53
tcpdump src H1 and not dst port 22

#With some complex queries you may have to use single quotes to ignore special characters, namely parentheses 
#Capture traffic from 192.168.1.1 that is destined for ports 80 and 21
tcpdump 'src 192.168.1.1 and (dst port 80 or 21)'

                                                                            
# TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP
# and other packets being transmitted or received over a network. (cf Wikipedia).
# Note: 173.194.40.120 => google.com

# Intercepts all packets on eth0
tcpdump -i eth0

# Intercepts all packets from/to 173.194.40.120
tcpdump host 173.194.40.120

# Intercepts all packets on all interfaces from / to 173.194.40.120 port 80
# -nn => Disables name resolution for IP addresses and port numbers.
tcpdump -nn -i any host 173.194.40.120 and port 80

# Make a grep on tcpdump (ASCII)
#    -A  => Show only ASCII in packets.
#    -s0 => By default, tcpdump only captures 68 bytes.
tcpdump -i -A any host 173.194.40.120 and port 80 | grep 'User-Agent'

# With ngrep
#    -d eth0   => To force eth0 (else ngrep work on all interfaces)
#    -s0       => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
ngrep 'User-Agent' host 173.194.40.120 and port 80

# Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80
tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i any

# Intercepts all packets SYN and FIN of each TCP session.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'

# To display SYN and FIN packets of each TCP session to a host that is not on our network
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'

# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

# Saving captured data
tcpdump -w file.cap

# Reading from capture file
tcpdump -r file.cap

# Show content in hexa
# Change -x to -xx => show extra header (ethernet).
tcpdump -x

# Show content in hexa and ASCII
# Change -X to -XX => show extra header (ethernet).
tcpdump -X

# Note on packet maching:
# Port matching:
# 	- portrange 22-23
# 	- not port 22
# 	- port ssh
# 	- dst port 22
# 	- src port 22
#
# Host matching:
# 	- dst host 8.8.8.8
# 	- not dst host 8.8.8.8
# 	- src net 67.207.148.0 mask 255.255.255.0
# 	- src net 67.207.148.0/24

#==============================##==============================#
# CMD tcpdump traceanon tracediff tracemerge tracereplay       #
#==============================##==============================#

#####################################

# 12 Tcpdump Commands – A Network Sniffer Tool
#===============================================

# In our previous article, we have seen 20 Netstat Commands to monitor or mange Linux network. This is our another ongoing series of packet sniffer tool called tcpdump. Here, we are going to show you how to install tcpdump and then we discuss and cover some useful commands with their practical examples.

# tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier) that reads tcpdump pcap format files.

# 1. Capture Packets from Specific Interface
#--------------------------------------------
# The command screen will scroll up until you interrupt and when we execute tcpdump command it will captures from all the interfaces, however with -i switch only capture from desire interface.

tcpdump -i eth0
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:33:31.976358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500440357:3500440553, ack 3652628334, win 18760, length 196
    11:33:31.976603 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64487, length 0
    11:33:31.977243 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28
    11:33:31.977359 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46
    11:33:31.977367 IP 172.16.25.126.54807 > tecmint.com: 4240+ PTR? 125.25.16.172.in-addr.arpa. (44)
    11:33:31.977599 IP tecmint.com > 172.16.25.126.54807: 4240 NXDomain 0/1/0 (121)
    11:33:31.977742 IP 172.16.25.126.44519 > tecmint.com: 40988+ PTR? 126.25.16.172.in-addr.arpa. (44)
    11:33:32.028747 IP 172.16.20.33.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    11:33:32.112045 IP 172.16.21.153.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    11:33:32.115606 IP 172.16.21.144.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    11:33:32.156576 ARP, Request who-has 172.16.16.37 tell old-oraclehp1.midcorp.mid-day.com, length 46
    11:33:32.348738 IP tecmint.com > 172.16.25.126.44519: 40988 NXDomain 0/1/0 (121)

# 2. Capture Only N Number of Packets
#-----------------------------------
# When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But using -c option, you can capture specified number of packets. The below example will only capture 6 packets.

tcpdump -c 5 -i eth0
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:40:20.281355 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500447285:3500447481, ack 3652629474, win 18760, length 196
    11:40:20.281586 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 65235, length 0
    11:40:20.282244 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28
    11:40:20.282360 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46
    11:40:20.282369 IP 172.16.25.126.53216 > tecmint.com.domain: 49504+ PTR? 125.25.16.172.in-addr.arpa. (44)
    11:40:20.332494 IP tecmint.com.netbios-ssn > 172.16.26.17.nimaux: Flags [P.], seq 3058424861:3058424914, ack 693912021, win 64190, length 53 NBT Session Packet: Session Message
    6 packets captured
    23 packets received by filter
    0 packets dropped by kernel

# 3. Print Captured Packets in ASCII
#----------------------------------
# The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.

tcpdump -A -i eth0
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:31:31.347508 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3329372346:3329372542, ack 4193416789, win 17688, length 196
    M.r0...vUP.E.X.......~.%..>N..oFk.........KQ..)Eq.d.,....r^l......m\.[email protected]_..J....i.*.....2f.mQH...Q.c...6....9.v.gb........;..4.).UiCY]..9..x.)..Z.XF....|..E......M..u.5.......ul
    09:31:31.347760 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64351, length 0
    M....vU.r1~P.._..........
    ^C09:31:31.349560 IP 192.168.0.2.46393 > b.resolvers.Level3.net.domain: 11148+ PTR? 1.0.168.192.in-addr.arpa. (42)
    E..F..@[email protected]+............1.0.168.192.in-addr.arpa.....
    3 packets captured
    11 packets received by filter
    0 packets dropped by kernel

# 4. Display Available Interfaces
#--------------------------------
# To list number of available interfaces on the system, run the following command with -D option.

tcpdump -D
    1.eth0
    2.eth1
    3.usbmon1 (USB bus number 1)
    4.usbmon2 (USB bus number 2)
    5.usbmon3 (USB bus number 3)
    6.usbmon4 (USB bus number 4)
    7.usbmon5 (USB bus number 5)
    8.any (Pseudo-device that captures on all interfaces)
    9.lo

# 5. Display Captured Packets in HEX and ASCII
#-----------------------------------------------
# The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.

tcpdump -XX -i eth0
    11:51:18.974360 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509235537:3509235733, ack 3652638190, win 18760, length 196
    0x0000:  b8ac 6f2e 57b3 0001 6c99 1468 0800 4510  ..o.W...l..h..E.
    0x0010:  00ec 8783 4000 4006 275d ac10 197e ac10  ....@.@.]...~..
    0x0020:  197d 0016 1129 d12a af51 d9b6 d5ee 5018  .}...).*.Q....P.
    0x0030:  4948 8bfa 0000 0e12 ea4d 22d1 67c0 f123  IH.......M.g..#
    0x0040:  9013 8f68 aa70 29f3 2efc c512 5660 4fe8  ...h.p).....VO.
    0x0050:  590a d631 f939 dd06 e36a 69ed cac2 95b6  Y..1.9...ji.....
    0x0060:  f8ba b42a 344b 8e56 a5c4 b3a2 ed82 c3a1  ...*4K.V........
    0x0070:  80c8 7980 11ac 9bd7 5b01 18d5 8180 4536  ..y.....[.....E6
    0x0080:  30fd 4f6d 4190 f66f 2e24 e877 ed23 8eb0  0.OmA..o.$.w.#..
    0x0090:  5a1d f3ec 4be4 e0fb 8553 7c85 17d9 866f  Z...K....S|....o
    0x00a0:  c279 0d9c 8f9d 445b 7b01 81eb 1b63 7f12  .y....D[{....c..
    0x00b0:  71b3 1357 52c7 cf00 95c6 c9f6 63b1 ca51  q..WR.......c..Q
    0x00c0:  0ac6 456e 0620 38e6 10cb 6139 fb2a a756  ..En..8...a9.*.V
    0x00d0:  37d6 c5f3 f5f3 d8e8 3316 d14f d7ab fd93  7.......3..O....
    0x00e0:  1137 61c1 6a5c b4d1 ddda 380a f782 d983  .7a.j\....8.....
    0x00f0:  62ff a5a9 bb39 4f80 668a                 b....9O.f.
    11:51:18.974759 IP 172.16.25.126.60952 > mddc-01.midcorp.mid-day.com.domain: 14620+ PTR? 125.25.16.172.in-addr.arpa. (44)
    0x0000:  0014 5e67 261d 0001 6c99 1468 0800 4500  ..^g&...l..h..E.
    0x0010:  0048 5a83 4000 4011 5e25 ac10 197e ac10  .HZ.@.@.^%...~..
    0x0020:  105e ee18 0035 0034 8242 391c 0100 0001  .^...5.4.B9.....
    0x0030:  0000 0000 0000 0331 3235 0232 3502 3136  .......125.25.16
    0x0040:  0331 3732 0769 6e2d 6164 6472 0461 7270  .172.in-addr.arp
    0x0050:  6100 000c 0001                           a.....

# 6. Capture and Save Packets in a File
#----------------------------------------
# As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

# tcpdump -w 0001.pcap -i eth0
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    4 packets captured
    4 packets received by filter
    0 packets dropped by kernel

# 7. Read Captured Packets File
#--------------------------------
# To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.

tcpdump -r 0001.pcap
    reading from file 0001.pcap, link-type EN10MB (Ethernet)
    09:59:34.839117 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3353041614:3353041746, ack 4193563273, win 18760, length 132
    09:59:34.963022 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 132, win 65351, length 0
    09:59:36.935309 IP 192.168.0.1.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)
    09:59:37.528731 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [P.], seq 1:53, ack 132, win 65351, length 5

# 8. Capture IP address Packets
#-------------------------------
# To capture packets for a specific interface, run the following command with option -n.

tcpdump -n -i eth0
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:07:03.952358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509512873:3509513069, ack 3652639034, win 18760, length 196
    12:07:03.952602 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64171, length 0
    12:07:03.953311 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308
    12:07:03.954288 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164
    12:07:03.954502 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 65535, length 0
    12:07:03.955298 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276
    12:07:03.955425 IP 172.16.23.16.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    12:07:03.956299 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1236, ack 1, win 18760, length 292
    12:07:03.956535 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1236, win 64967, length 0

# 9. Capture only TCP Packets.
# ------------------------------
# To capture packets based on TCP port, run the following command with option tcp.

tcpdump -i eth0 tcp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:10:36.216358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509646029:3509646225, ack 3652640142, win 18760, length 196
    12:10:36.216592 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64687, length 0
    12:10:36.219069 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308
    12:10:36.220039 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164
    12:10:36.220260 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 64215, length 0
    12:10:36.222045 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276
    12:10:36.223036 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1108, ack 1, win 18760, length 164
    12:10:36.223252 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1108, win 65535, length 0
    ^C12:10:36.223461 IP mid-pay.midcorp.mid-day.com.netbios-ssn > 172.16.22.183.recipe: Flags [.], seq 283256512:283256513, ack 550465221, win 65531, length 1[|SMB]

# 10. Capture Packet from Specific Port
#-----------------------------------------
Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.

# tcpdump -i eth0 port 22
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10:37:49.056927 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364204694:3364204890, ack 4193655445, win 20904, length 196
    10:37:49.196436 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 4294967244:196, ack 1, win 20904, length 248
    10:37:49.196615 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64491, length 0
    10:37:49.379298 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 196:616, ack 1, win 20904, length 420
    10:37:49.381080 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 616:780, ack 1, win 20904, length 164
    10:37:49.381322 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 780, win 65535, length 0

# 11. Capture Packets from source IP
#-------------------------------------
# To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows.

tcpdump -i eth0 src 192.168.0.2
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10:49:15.746474 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196
    10:49:15.748554 IP 192.168.0.2.56200 > b.resolvers.Level3.net.domain: 11289+ PTR? 1.0.168.192.in-addr.arpa. (42)
    10:49:15.912165 IP 192.168.0.2.56234 > b.resolvers.Level3.net.domain: 53106+ PTR? 2.0.168.192.in-addr.arpa. (42)
    10:49:16.074720 IP 192.168.0.2.33961 > b.resolvers.Level3.net.domain: 38447+ PTR? 2.2.2.4.in-addr.arpa. (38)

# 12. Capture Packets from destination IP
#-------------------------------------------
# To capture packets from destination IP, say you want to capture packets for 50.116.66.139, use the command as follows.

tcpdump -i eth0 dst 50.116.66.139
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0
    10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0
    10:55:05.626027 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [.], ack 2, win 245, options [nop,nop,TS val 7959537 ecr 804759787], length 0
    
    

######################################

##Collect Particular Interface report
# Perhaps the most common usage of the tcpdump common is to listen to network traffic on a network interface. To do this we use the -i option with the tcpdump command followed by the interface name. Type the keyword any then tcpdump will listen network traffic on all interfaces.
tcpdump -i ens33

##Omit name resolution for host-names and port numbers
# The default behavior of tcpdump is to perform name resolution for host-names and port numbers which is evident from the output from our previous example. To save time spent in resolving host-names you could use the -n option with tcpdump to instruct to print strictly numeric output only in the form of IP addresses and port numbers.
tcpdump -n -i ens33

##Capture only X number of packets.
# Tcpdump command continues to capture packets and report them in the output until we cancel it. We can use the -c option with the tcpdump command to limit the number of packets it captures. In the below example we are capturing only five packets on the network interface ens33.
tcpdump -c 5 -i ens33

##List available interfaces
# To list the network interfaces on the system available for use by tcpdump, use the -D option. Notice that USB ports are also included in the output because tcpdump can listen for USB protocol from USB interfaces and other special Kernel devices.
tcpdump -D

##Display captured packets in ASCII
# ASCII is a character encoding format. To display packets captured by tcpdump in ASCII encoding use the -A option with the tcpdump command.
tcpdump -A -c 5 -i ens33

##Captured Packets in HEX and ASCII
# In case you would like to analyze captured packets in HEX and ASCII format, use the -XX option. When this option is set, tcpdump displays data of each packet, including its link level header in HEX and ASCII format.

tcpdump -XX -c 2 -i ens33

##Be more verbose
# To increase the level of verbosity reported in the tcpdump output you can use -vvv option. This will report the TTL, total length and options in an the IP packets.
tcpdump -vvv -c 2 -i ens33

##Traffic on a particular port
# It can use to filter out and capture traffic on a single port by specifying the keyword port along with the port number in the tcpdump command. The below command captures traffic on tcp port 22 only.

tcpdump -c 5 -i ens33 port 22
# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
		.............
		5 packets captured
		15 packets received by filter
		4 packets dropped by kernel

##Capture packets aimed at a destination address
# Can capture and filter out packets being transmitted to a particular destination address as shown in the below example.

tcpdump dst 192.168.87.144
		19 packets captured
		40 packets received by filter
		15 packets dropped by kernel
# In the above example, captured all traffic that is directed towards IP address 192.168.87.144.

##Packets originating from a source IP address
# Capture and filter out packets originating from a particular destination address as shown in the below example.
tcpdump src 192.168.87.144

##Collect particular hostname dump
# We can use tcpdump command to capture communication with a particular host whether it is the source or destination of the communication. The below example captures all communication related to the hostname google.com
tcpdump host google.com

##Output to a file
# Store the output of tcpdump command to a file and later retrieve it for further analysis. To write captured packet information to a file we use the -w option followed by the file name to which the data is to be written to.
tcpdump -c 5 port 22 -w ssh_traffic.pcap

##Read from a file
# To read the packet capture from a file we use the -r option. In the below example we will read from the file we used earlier to write the packet captured
tcpdump -r ssh_traffic.pcap

##Setting up custom filters
# Use logical and, or and not to create very customized filters while running the tcpdump command. Example run tcpdump command to capture traffic directed at host 192.168.87.144 on port 22 and 80 only
tcpdump dst host 192.168.87.144 and "(dst port 22 or dst port 80)"

tcpdump -i eth0 dst net 127.0.0.0/8
# Its a pretty weird day when you find yourself running a command like this to diagnose a problem.

tcpdump -l icmp[icmptype]=icmp-echo | awk '{if (!arr[$3]){print $3;arr[$3]++}}'
# Show new pingers. -l makes tcpdump linebuffered.

tcpdump -n -i $if

traceanon [options] $sourceuri $desturi

tracediff [ -m $maxdiff ] $firsturi $seconduri

tracemerge [ options ] $outputuri $inputuri ...

tracereplay [ options ] $inputuri $outputuri

tcpdump -c 50 -s 0 -i eth1 -A host 192.168.1.1 and tcp port http
# tcpdump to sniff HTTP traffic from a specific host - Linux command to dump HTTP packet
#    The parameter breakdown:
#	-c 50: Capture 50 packe	ts then exit.
#	-s 0: Print it all payload data, no limit.
#	-i eth1: C		apture packets on interface eth1
#	-A: Print packets in ASCII.
# 	   host 192.168.1.1: Only capture packets coming to or from 192.168.1.1. and tcp port http: Only capture TCP HTTP packets.

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' 
# Dump information from a CDP frame received on eth0

# Get packets from all interfaces -> To get the network packets from all network interfaces, run the following command,
tcpdump -i any

 

# Get packets from a single interfaces -> To get the network packets from a single interface, use
tcpdump -i eth0

 

# Writing captured packets to file -> To write all the captured packets to a file, use the ‘-w’ option,
tcpdump -i eth1 -w packets_file

 

# Reading an old tcpdump file -> To read an already created, old tcpdump file, use the following command,
tcpdump -r packets_file

 

# Getting more packets information with readable timestamps -> To get more information regarding the packets along with readable timestamp, use
tcpdump -ttttnnvvS

 

# Check packets of whole network -> To get the packets for whole network, execute the following command from terminal
tcpdump net 192.168.1.0/24

 

# Check packets based on IP address -> Get all the packets based on the IP address, whether source or destination or both, using the following command,
tcpdump host 192.168.1.100

# To get packets based on source or destination of an IP address, use
tcpdump src 192.168.1.100
tcpdump dst 192.168.1.100

 

# Check packets for a protocol or port number -> To check all the packets used based on the protocol, run the following command
tcpdump ssh

# To get packets for a single port ot for a range of ports. 
#		->We can also use ‘src’ & ‘dst’ options to get packets for ports based on source & destination. 
#		-> We can also combine two conditions with AND (and , && ), OR ( or. || ) & EXCEPT (not , ! ). This helps when we have analyze network packets based on the some condtions.
tcpdump port 22
tcpdump portrange 22-125

 

# Using AND -> We can use ‘and’ or symbol ‘&&’ to combine two conditions or mote with tcpdump. An example would be,
tcpdump src 192.168.1.100 && port 22 -w ssh_packets

 

# Using OR -> OR will check the command agtcpdump -i eth0 src port not 22ainst one the mentioned conditions in the command, like
tcpdump src 192.168.1.100 or dst 192.168.1.50 && port 22 -w ssh_packets
tcpdump port 443 or 80 -w http_packets

 

# Using EXCEPT -> EXCEPT will be used when we want not fulfill a condition. -> This will monitor all the traffic on eth0 but will not capture port 22.+-
tcpdump -i eth0 src port not 22

# Tcp Dump in NL  100mb große files
tcpdump -i eth0 -w /root/bin/pk_traces -C 100 -K -n

# See entire packet payload using tcpdump.
tcpdump -nnvvXSs 1514 -i <device> <filters>

# Check if loopback network interface is working
tcpdump -i lo -nv ip

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'
# Capture SMTP / POP3 Email

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
# Extract HTTP Passwords in POST Requests

tcpdump -nn -v port ftp or ftp-data
#

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
# Capture FTP Credentials and Commands Capture all plaintext passwords

# Dump network traffic with tcpdump to file with time-stamp in its filename
date +"%Y-%m-%d_%H-%M-%Z" | xargs -I {} bash -c "sudo tcpdump -nq -s 0 -i eth0 -w ./dump-{}.pcap"
# Explanation: will dump the traffic into a file with a time-stamp in its name. Example filename:
dump-2013-05-17_15-46-UTC.pcap

# Using tcpdump with port ranges and file count/size
tcpdump -i any -s 0 -n -Z <user_name> -C 500 -W 100 -w /home/<user_name>/$(hostname).pcap -f '(port (# or # or # or # or # or # or ...) or portrange <start>-<end>)' &>/dev/null

    
# Using tcpdump with port ranges and file count/size
sudo /usr/sbin/tcpdump -i any -s 0 -n -Z <user_name> -C 500 -W 100 -w /home/<user_name>/$(hostname).pcap -f '(port (# or # or # or # or # or # or ...) or portrange <start>-<end>)' &>/dev/null

#==============================##==============================#
# CMD tcpdump traceanon tracediff tracemerge tracereplay       #
#==============================##==============================#

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░