Mastering Tcpdump

Dive deep into the world of network packet analysis with our expert guide on tcpdump. This comprehensive tutorial covers everything from capturing and saving packets to advanced filtering techniques. Ideal for IT professionals, network administrators, and cybersecurity enthusiasts, learn how to leverage tcpdump to troubleshoot network issues, monitor traffic in real-time, and secure your network. Equip yourself with the knowledge to use tcpdump effectively, with practical examples and tips.

---

Show the packet’s contents in both hex and ascii

tcpdump -X 

Same as -X, but also shows the ethernet header

tcpdump -XX

Show the list of available interfaces

tcpdump -D

Line-readable output (for viewing as you save, or sending to other commands)

tcpdump -l

Be less verbose (more quiet) with your output

tcpdump -q

Give human-readable timestamp output

tcpdump -t :

Give maximally human-readable timestamp output

tcpdump -tttt : 

Listen on the eth0 interface

tcpdump -i eth0

Verbose output (more v’s gives more output)

tcpdump -vv 

Only get x number of packets and then stop

tcpdump -c 

Define the snaplength (size) of the capture in bytes.

tcpdump -s 

Print absolute sequence numbers

tcpdump -S 

Get the ethernet header as well

tcpdump -e 

Decrypt IPSEC traffic by providing an encryption key

tcpdump -E

Display Available Interfaces

tcpdump -D
tcpdump --list-interfaces

Let’s start with a basic command that will get us HTTPS traffic

tcpdump -nnSX port 443

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Low Output:

tcpdump -nnvvS

Medium Output:

tcpdump -nnvvXS

Heavy Output

tcpdump -nnvvXSs 1514

Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22

tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'

Show me all URG packets

tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets

tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets

tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets

tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets

tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets

tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets

tcpdump 'tcp[13] = 18'

Show all traffic with both SYN and RST flags set: (that should never happen)

tcpdump 'tcp[13] = 6'

Show all traffic with the “evil bit” set

tcpdump 'ip[6] & 128 != 0'

Display all IPv6 Traffic

tcpdump ip6

Print Captured Packets in ASCII

tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII

tcpdump -XX -i eth0

Capture and Save Packets in a File

tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

tcpdump -r 0001.pcap

Capture IP address Packets

tcpdump -n -i eth0

Capture only TCP Packets

tcpdump -i eth0 tcp

Capture Packet from Specific Port

tcpdump -i eth0 port 22

Capture Packets from source IP

tcpdump -i eth0 src 192.168.0.2

Capture Packets from destination IP

tcpdump -i eth0 dst 50.116.66.139

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet coming from or going to x.x.x.x

tcpdump -n host x.x.x.x

Capture any packet going to x.x.x.x

tcpdump -n dst host x.x.x.x

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet going to network x.x.x.0/24

tcpdump -n dst net x.x.x.0/24

Capture any packet coming from network x.x.x.0/24

tcpdump -n src net x.x.x.0/24

Capture any packet with destination port x

tcpdump -n dst port x

Capture any packet coming from port x

tcpdump -n src port x

Capture any packets from or to port range x to y

tcpdump -n dst(or src) portrange x-y

Capture any tcp or udp port range x to y

tcpdump -n tcp(or udp) dst(or src) portrange x-y

Capture any packets with dst ip x.x.x.x and port y

tcpdump -n "dst host x.x.x.x and dst port y"

Capture any packets with dst ip x.x.x.x and dst ports x, z

tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"

Capture ICMP , ARP

tcpdump -v icmp(or arp)

Capture packets on interface eth0 and dump to cap.txt file

tcpdump -i eth0 -w cap.txt

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

tcpdump port 3389 

tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp

Show Traffic Related to a Specific Port

tcpdump port 3389 

tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Show only IP6 Traffic

tcpdump ip6

Find Traffic Using Port Ranges

tcpdump portrange 21-23

Find Traffic Based on Packet Size

tcpdump less 32 
tcpdump greater 64 
tcpdump <= 128
tcpdump => 128

Reading / Writing Captures to a File (pcap)

tcpdump port 80 -w capture_file
tcpdump -r capture_file

Raw Output View

tcpdump -ttnnvvS

From specific IP and destined for a specific Port

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

From One Network to Another

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Isn’t on a Specific Port

tcpdump -vv src mars and not dst port 22

Isolate TCP RST flags

tcpdump 'tcp[13] & 4!=0'

tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags

tcpdump 'tcp[13] & 2!=0'

tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set

tcpdump 'tcp[13]=18'

Isolate TCP URG flags

tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags

tcpdump 'tcp[13] & 16!=0'

tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags

tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags

tcpdump 'tcp[13] & 1!=0'

tcpdump 'tcp[tcpflags] == tcp-fin'

Both SYN and RST Set

tcpdump 'tcp[13] = 6'

Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'
tcpdump -nn -A -s1500 -l | grep "User-Agent"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request

tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

Capture only HTTP GET and POST packets only packets that match GET

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Extract HTTP Request URL's

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host"

Extract HTTP Passwords in POST Requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host"

Capture Cookies from Server and from Client

tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture all ICMP packets

tcpdump -n icmp

Show ICMP Packets that are not ECHO/REPLY (standard ping)

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Troubleshooting NTP Query and Response

tcpdump dst port 123

Capture FTP Credentials and Commands

tcpdump -nn -v port ftp or ftp-data

Rotate Capture Files

tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

Capture IPv6 Traffic

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file

tcpdump -nr ipv6-test.pcap ip6 proto 17

Detect Port Scan in Network Traffic

tcpdump -nn

Usage Examples

```bash

Example Filter Showing Nmap NSE Script Testing

• On Target:

  bash nmap -p 80 --script=http-enum.nse targetip

• On Server:

  bash tcpdump -nn port 80 | grep "GET /" GET /w3perl/ HTTP/1.1 GET /w-agora/ HTTP/1.1 GET /way-board/ HTTP/1.1 GET /web800fo/ HTTP/1.1 GET /webaccess/ HTTP/1.1 GET /webadmin/ HTTP/1.1 GET /webAdmin/ HTTP/1.1

Capture Start and End Packets of every non-local host

bash tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Capture DNS Request and Response

bash tcpdump -i wlp58s0 -s0 port 53

Capture HTTP data packets

bash tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Capture with tcpdump and view in Wireshark

bash ssh wuseman@localhost 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

Top Hosts by Packets

bash tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Capture all the plaintext passwords

bash tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

DHCP Example

bash tcpdump -v -n port 67 or 68

Cleartext GET Requests

bash tcpdump -vvAls0 | grep 'GET'

Find HTTP Host Headers

bash tcpdump -vvAls0 | grep 'Host:'

Find HTTP Cookies

bash tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Find SSH Connections

bash tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

bash tcpdump -vvAs0 port 53

Find FTP Traffic

bash tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic

bash tcpdump -vvAs0 port 123

Capture SMTP / POP3 Email

bash tcpdump -nn -l port 25 \ | grep -i 'MAIL FROM\|RCPT TO'

Line Buffered Mode

bash tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Find traffic with evil bit

bash tcpdump 'ip[6] & 128 != 0'

Filter on protocol (ICMP) and protocol-specific fields (ICMP type)

bash tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0'

Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply)

bash tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Filter on TOS field

bash tcpdump -v -n ip and ip[1]!=0

Filter on TTL field

bash tcpdump -v ip and 'ip[8]<2'

Filter on TCP flags (SYN/ACK)

bash tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured

bash tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'

Catch TCP SYN/ACK packets (typically, responses from servers)

bash tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)' tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

Catch ARP packets

bash tcpdump -vv -e -nn ether proto 0x0806

Filter on IP packet length

bash tcpdump -l icmp and '(ip[2:2]>50)' -w - \ |tcpdump -r - -v ip and '(ip[2:2]<60)'

Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected

bash tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'

Filter on encapsulated content (ICMP within PPPoE)

bash tcpdump -v -n icmp

Quieter output

bash tcpdump -q -i eth0 tcpdump -t -i eth0 tcpdump -A -n -q -i eth0 'port 80' tcpdump -A -n -q -t -i eth0 'port 80'

Print only useful packets from the HTTP traffic

bash tcpdump -A -s 0 -q -t -i eth0 \ 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'

Dump SIP Traffic

bash tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4

Checking packet content

bash tcpdump -i any -c10 -nn -A port 80

Checking packet content

bash tcpdump -i any -c10 -nn -A port 80

Using tcpdump with port ranges and file count/size

bash /usr/sbin/tcpdump -i any -s 0 -n -Z <user_name> -C 500 -W 100 -w /home/<user_name>/$(hostname).pcap -f '(port (# or # or # or # or # or # or ...) or portrange <start>-<end>)' &>/dev/null

Resource(s)"

• https://github.com/wuseman/tcpdump-cheatsheet