Tcpdump is a command line tool that is used to dump traffic on a network. This tool comes in handy when you want to analyse network captures within the command line. Basically, it can do most of the wireshark job. Installation Commands CENT OS and REDHAT $ sudo yum install tcpdump Fedora $ dnf install tcpdump Ubuntu, Debian and Linux Mint apt-get install tcpdump Packet Capturing Options tcpdump -i any Capture from all interfaces tcpdump -i eth0 Capture from specific interface ( Ex Eth0) tcpdump -i eth0 -c 10 Capture first 10 packets and exit tcpdump -D Show available interfaces tcpdump -i eth0 -A Print in ASCII tcpdump -i eth0 -w tcpdump.txt To save capture to a file tcpdump -r tcpdump.txt Read and analyze saved capture file tcpdump -n -I eth0 Do not resolve host names tcpdump -n -i eth0 Stop Domain name translation and lookups (Host names or port names ) tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only tcpdump -i eth0 port 80 Capture traffic from a defined port only tcpdump host 192.168.1.100 Capture packets from specific host tcpdump net 10.1.1.0/16 Capture files from network subnet tcpdump src 10.1.1.100 Capture from a specific source address tcpdump dst 10.1.1.100 Capture from a specific destination address tcpdump http Filter traffic based on a port number for a service tcpdump port 80 Filter traffic based on a service tcpdump portrange 21-125 Filter based on port range tcpdump -S http Display entire packet tcpdunp -IPV6 Show only IPV6 packets tcpdump -d tcpdump.pcap display human readable form in standard output tcpdump -F tcpdump.pcap Use the given file as input for filter tcpdump -I eth0 set interface as monitor mode tcpdump -L Display data link types for the interface tcpdump -N tcpdump.pcap not printing domian names tcpdump -K tcpdump.pcap Do not verify checksum tcpdump -p -i eth0 Not capturing in promiscuous mode Logical Operators < tcpdump <32 Shows packets size less than 32 > tcpdump >=32 Shows packets size greater than 32 and, && tcpdump -n src 192.168.1.1 and dst port 21 Combine filtering options not, ! tcpdump dst 10.1.1.1 and not icmp Negation of the condition or, || tcpdump dst 10.1.1.1 && !icmp Either of the condition can match Display Options -q Quite and less verbose mode display less details -t Do not print time stamp details in dump -v Little verbose output -vv More verbose output -vvv Most verbose output -x Print data and headers in HEX format -xx Print data with link headers in HEX format -X Print output in HEX and ASCII format excluding link headers -XX Print output in HEX and ASCII format including link headers -e Print Link (Ethernet) headers -S Print sequence numbers in exact format Examples track all UDP traffic initiated by host (useful to track DNS amplification attack) tcpdump -i any 'udp && src host 172.31.7.188' -vvnnS track DNS traffic that comes on the host tcpdump -i any '(udp && port 53 && dst host 172.31.7.188)' -vvnnS track TCP SYN packages from host: host tries to make to initiate TCP connection with an external source tcpdump -i any '((tcp[tcpflags] == tcp-syn) && src 172.31.7.188)' -vvnnS track TCP SYN-ACK packages to host: external resources sent acknowledge about opening TCP connection tcpdump -i any '(tcp[13] = 18 and dst host 172.31.7.188)' -vvnnS track traffic into Redis and write all packets into pcap file (pcap file can be opened in Wireshark then for analysis) tcpdump -i any 'dst port 6379' -vvnnS -w redis.pcap track all UDP output traffic except DNS tcpdump -i any '(udp and not dst port 53 and src host 172.31.7.188)' -vvnnS track all traffic with particular host with writing it into pcap file (pcap file can be opened in Wireshark then for analysis) tcpdump -i any 'host 172.31.7.188' -vvnnS -w host-172-31-71-88.pcap track all traffic on host except SSH, HTTPS, DNS, RabbitMQ, arp traffic tcpdump -i eth0 'not (port 22 or 443 or 53 or 5672) and not arp' -nnvvS Find HTTP User Agents tcpdump -vvAls0 | grep 'User-Agent:' Cleartext GET Requests tcpdump -vvAls0 | grep 'GET' Find HTTP Host Headers tcpdump -vvAls0 | grep 'Host:' Find HTTP Cookies tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:' Find SSH Connections This one works regardless of what port the connection comes in on, because it’s getting the banner response. tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' Find DNS Traffic tcpdump -vvAs0 port 53 Find FTP Traffic tcpdump -vvAs0 port ftp or ftp-data Find NTP Traffic tcpdump -vvAs0 port 123