Skip to content

TCP DUMP

Tcpdump is a command line tool that is used to dump traffic on a network. This tool comes in handy when you want to analyse network captures within the command line. Basically, it can do most of the wireshark job.

 

Installation Commands

CENT OS and REDHAT

$ sudo yum install tcpdump

 

Fedora

$ dnf install tcpdump

 

Ubuntu, Debian and Linux Mint

apt-get install tcpdump

 

Packet Capturing Options

tcpdump -i any

Capture from all interfaces

 

tcpdump -i eth0

Capture from specific interface ( Ex Eth0)

 

tcpdump -i eth0 -c 10

Capture first 10 packets and exit

 

tcpdump -D

Show available interfaces

 

tcpdump -i eth0 -A

Print in ASCII

 

 

tcpdump -i eth0 -w tcpdump.txt

To save capture to a file

 

tcpdump -r tcpdump.txt

Read and analyze saved capture file

 

tcpdump -n -I eth0

Do not resolve host names

 

tcpdump -n -i eth0

Stop Domain name translation and lookups (Host names or port names )

 

tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp

Capture TCP packets only

 

tcpdump -i eth0 port 80

Capture traffic from a defined port only

 

tcpdump host 192.168.1.100

Capture packets from specific host

 

tcpdump net 10.1.1.0/16

Capture files from network subnet

 

tcpdump src 10.1.1.100

Capture from a specific source address

 

tcpdump dst 10.1.1.100

Capture from a specific destination address

 

 

tcpdump http

Filter traffic based on a port number for a service

 

tcpdump port 80

Filter traffic based on a service

 

tcpdump portrange 21-125

Filter based on port range

 

tcpdump -S http

Display entire packet

 

tcpdunp -IPV6

Show only IPV6 packets

 

tcpdump -d tcpdump.pcap

display human readable form in standard output

 

tcpdump -F tcpdump.pcap

Use the given file as input for filter

 

tcpdump -I eth0

set interface as monitor mode

 

tcpdump -L

Display data link types for the interface

 

tcpdump -N tcpdump.pcap

not printing domian names

 

 

tcpdump -K tcpdump.pcap

Do not verify checksum

 

tcpdump -p -i eth0

Not capturing in promiscuous mode

 

Logical Operators

< 

tcpdump <32

Shows packets size less than 32

 

> 

tcpdump >=32

Shows packets size greater than 32

 

and, &&

tcpdump -n src 192.168.1.1 and dst port 21

Combine filtering options

 

not, !

tcpdump dst 10.1.1.1 and not icmp

Negation of the condition

 

or, ||

tcpdump dst 10.1.1.1 && !icmp

Either of the condition can match

 

Display Options

-q           Quite and less verbose mode display less details

-t            Do not print time stamp details in dump

-v           Little verbose output

-vv         More verbose output

-vvv       Most verbose output

-x           Print data and headers in HEX format

-xx         Print data with link headers in HEX format

-X           Print output in HEX and ASCII format excluding link headers

-XX         Print output in HEX and ASCII format including link headers

-e           Print Link (Ethernet) headers

-S           Print sequence numbers in exact format

 

Examples

track all UDP traffic initiated by host (useful to track DNS amplification attack)

tcpdump -i any 'udp && src host 172.31.7.188' -vvnnS

 

track DNS traffic that comes on the host

tcpdump -i any '(udp && port 53 && dst host 172.31.7.188)' -vvnnS

 

track TCP SYN packages from host: host tries to make to initiate TCP connection with an external source

tcpdump -i any '((tcp[tcpflags] == tcp-syn) && src 172.31.7.188)' -vvnnS

 

track TCP SYN-ACK packages to host: external resources sent acknowledge about opening TCP connection

tcpdump -i any '(tcp[13] = 18 and dst host 172.31.7.188)' -vvnnS

 

track traffic into Redis and write all packets into pcap file (pcap file can be opened in Wireshark then for analysis)

tcpdump -i any 'dst port 6379' -vvnnS -w redis.pcap

 

track all UDP output traffic except DNS

tcpdump -i any '(udp and not dst port 53 and src host 172.31.7.188)' -vvnnS

 

track all traffic with particular host with writing it into pcap file (pcap file can be opened in Wireshark then for analysis)

tcpdump -i any 'host 172.31.7.188' -vvnnS -w host-172-31-71-88.pcap

 

track all traffic on host except SSH, HTTPS, DNS, RabbitMQ, arp traffic

tcpdump -i eth0 'not (port 22 or 443 or 53 or 5672) and not arp' -nnvvS

 

Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'

 

Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'

 

Find HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'

 

Find HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

 

Find SSH Connections

This one works regardless of what port the connection comes in on, because it’s getting the banner response.

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

 

Find DNS Traffic

tcpdump -vvAs0 port 53

 

Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data

 

Find NTP Traffic

tcpdump -vvAs0 port 123