tcpdump examples

Tcpdump examples

Note: tcpdump cli commands are case sensitive aware

 

Syntax

tcpdump [-options] [filters]

 

Basic Options

List all network interfaces

tcpdump –D

 

Tcpdump basic options

tcpdump –nn –vvv –X –t

-nn don’t convert address [Ethernet|IP] to names [OUI|hostname]

-v[v[v]]] print more verbose output

-X print frame payload in HEX and ASCII

-t doesn’t print timestamps

 

Run tcpdump in quick output mode

tcpdump –q

 

Capture on all interfaces only 10 packets

tcpdump –i any –c 10

 

Layer-2 filter

Display Layer-2 MAC address in output without resolving OUI

tcpdump –I eth1 –e –n

 

Layer-3 filter

Display traffic on any interface but not port 80

tcpdump –i any not port 80

 

Capture traffic on interface ETH1 from source 192.168.10.1 and destination port 22

tcpdump –i eth1 –nn –vv src host 192.168.10.1 && dst port 22

 

Capture traffic on interface ETH1 from network 192.168.10.1/24 to network 10.0.0.0/8 or 172.16.0.0/16

tcpdump –i eth1 –nnvv net 192.168.10.1 and dst 10.0.0.0/8 or 172.16.0.0/16

 

Capture traffic on interface ETH1 from network 4.4.4.0/20 ICMP or destination port 3389

tcpdump -i eth1 -nnq 'net 4.4.4.0/20 and (icmp or dst port 3389)'

Note: quotes are used to instruct tcpdump to ignore special characters like brackets in this example

 

 

Capture DNS queries which ends with “.co.il”

tcpdump -i eth1 -nnXq  udp port 53 | grep "\.co\.il$"

 

Capture DNS queries which ends with “.co.il”

tcpdump -i eth1 -nnXq  udp port 53 | grep "\.co\.il$"

 

Display HTTP headers

tcpdump -vvvs 1024 -l -A host  google.com

 

Layer-7 filter

Capture HTTP GET only from host 192.168.10.1

tcpdump -i eth1 -nns 1400 -W TEST01.cap host 192.168.10.1 and \( tcp[20:2] = 18245 or tcp[20:2] = 18516 \)

The “tcp[20:2]” tells tcpdump to look at the 20^th byte of the TCP field and get two bytes from there. 18245 => 0×4745 => “GE” as in “GET”. My version of tcpdump only allows for 1,2 or 4 bytes to be compared, so I settled for two. 18516 => 0×4854 = “HT” as in “HTTP”.

 

Filter ICMP

Capture all ICMP packets beside echo-replay and echo-request

tcpdump –i eth1 -nn icmp and 'icmp[0] != 8 and icmp[0] != 0'

Also:

tcpdump –i eth1 -nn icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

 

Filter TOS byte

Display all IP packets with ToS byte NOT 0 (default)

tcpdump –i eth1 -vvnn ip and ip[1]!=0

 

Display all IP packets with DSCP AF19

tcpdump –i eth1 -vvnn ip and ip[1]=76

 

Filter based TTL

Display 100 packets without name resolution/very very very verbose/full packet length

tcpdump -v ip and 'ip[8]<2'

Means look at the 8 byte in the IP packet (starting from 0) and the value of that byte should be less the 2

 

Filter based on TCP Flags

Display TCP segments with TCP SYN or other  flags

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

 

Display TCP segments with TCP SYN only

tcpdump -n tcp and port 80 and 'tcp[tcpflags] == tcp-syn’

 

Display SIP Invitation

Display SIP invitation to SIP server at UDP port 5060

tcpdump -i eth1 -nnvvs 0 udp dst port 5060 and \(udp[8:4] = 1229870665 \)

UDP[8:4]=1229870665 means look in the 8 byte of the UDP segment, take 4 bytes ahead and search the string 1229870665 which in HEX: 49 4e 56 49 which in ASCII: INVI

 

Capture DNS queries

Capture DNS queries [UDP port 53] and show all queries starting with www. And ends with .co.il

tcpdump -i eth1 -nnA  udp port 53 | grep -E "www\..*\.co\.il"

 

 

Full Packet Capture

Display 100 packets without name resolution/very very very verbose/full packet length

tcpdump –I eth1 –nnvvvSs 0 –c 100

 

Port range filter

Display traffic from/to host 192.168.10.1 on TCP port 80 up to 500

tcpdump –I eth1 –nnvv host 192.168.10.1 and tcp portrange 80-500

 

VLAN filter

Display traffic from VLAN 115

tcpdump –I eth1 –nnvv –e vlan 115

Note:  in order to VLAN filter to work we must configure encapsulation on SPAN destination port

monitor session 1 destination interface Gi1/1 encapsulation dot1q

 

Packet size filter

Display all packets [greater or less] then 1024 bytes

tcpdump –I eth1 –nnvv [greater|less] 1024

 

L2TP packet

Capture L2TP packets with IP address 80.74.127.224 (0x504a7fe0) and IP address  85.131.134.34 (0x55838622)

tcpdump 'udp[30:4] = 0x504a7fe0' and 'udp[34:4] = 0x55838622' -nn

We need to convert HEX to decimal in order to revel the IP address

 

Broadcast/Multicast filter

Display in quick mode all broadcast or multicast traffic

tcpdump –i eth1 –nnq [broadcast|multicast]

 

Write to file

Capture full traffic from host 192.168.10.254 and write into file name CAPTURE001

tcpdump –i eth1 –nnvvXSs 0 host 192.168.10.254 –w CAPTURE001.cap

 

Capture traffic from network 172.16.0.0/24 and write into file name NET-1 with size no larger then 5MB

tcpdump –i eth1 –nnvvXSs 0 net 172.16.0.0/24 –C 5 –w NET-1.cap

 

Capture traffic from network 172.16.0.0/24 and write into 3 files name NET5 with size no larger than 10MB

tcpdump –i eth1 –nnvvXSs 0 net 172.16.0.0/24 –C 10 –W 3 –w NET5.cap

 

Capture traffic from network 192.168.10.0/24 and write into 2 files name FILE01 were each file will contain 2 minutes capture

tcpdump –i eth1 –nnvvXSs 0 net 192.168.10.0/24 –G 120 –W 2 –w FILE01.cap

 

Read from file

Read from file name CAPTURE001.cap

tcpdump –r CAPTURE001.cap