TCPDUMP Cheatsheet

 

TCPDUMP Usage

tcpdump is by default installed on most of the linux machine, you can run it by "sudo tcpdump"

• Protocol: ether, ip, ip6, arp, rarp, tcp, udp: protocol type
• Type: 
host [host]: Only give me packets to or from that host
net [network]: Only packets for a given network
port [portnum]: Only packets for that port
portrange [start-end]: Only packets in that range of ports

• Direction:
src: Only give me packets from that host or port
dst : Only give me packets to that host

• Use "and" or "or" to combine these together
• Use "not" to negate

-n Host IP addresses and port numbers instead of names
-i interface Sniff on a particular interface (-D lists interfaces)
-v Be verbose (show TTL, IP ID, Total Length, IP options, and so on)
-w Dump packets to a file (use -r to read file later)
-x Print hex
-X Print hex and ASCII
-A Print ASCII

#View the traffic from all interfaces on host 10.10.10.10 or port 443
sudo tcpdump -s 0 -i any host 10.10.10.10 or port 443

#Read packets while saving the data
sudo tcpdump -w - | tee file.pcap | tcpdump -r -

#Show TCP packets against target 10.10.10.10 in ASCII and Hex
tcpdump -nnX tcp and dst 10.10.10.10

#Show all UDP packets from 10.10.10.10
tcpdump -nn udp and src 10.10.10.10

#Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump -nn tcp and port 80 and host 10.10.10.10

tcpdump -na -i nurx0 -G 20 -W 1 -w cap.pcap

#Capture Everything Except a port or host
tcpdump -i any  port not 22 and host 10.10.10.10 -vv