NSAS Wiki

Network System Access Solutions

User Tools

Site Tools


Sidebar

Contact

linux:tcpdump

TCPDUMP expressions are also known as BPF, or Berkeley Packet Filters. On a TCPDUMP command line they should always be placed inside single quotes (UNIX) or double quotes (Windows).

Expressions

tcpdump “host profl”

  dumps all packets to or from host profl

tcpdump “ether host 11:22:33:44:55:66”

  dumps all packets to or from that MAC address

tcpdump “net 192.168.12.4/30”

  dumps all packets to or from a network, specified using CIDR notation

tcpdump “net 192.168.12.4 mask 255.255.255.252”

  dumps all packets to or from a network, specified using a mask

tcpdump “tcp src port 53”

  dumps all packets with source port 22/tcp

tcpdump “udp and (src port 161 or 162 or 514)”

  Looks for SYSLOG or SNMP packets being received

tcpdump “host {thisIP}”

  Show only IP traffic to or from thisIP

tcpdump “host {thisIP} && host {thatIP}”

  Show only IP traffic between thisIP and thatIP

tcpdump “!(host {myIP}) && {remainder of expression}”

  Ignore traffic from myIP (necessary if you're running TCPDUMP on a remote machine to stop it from capturing the terminal session with your machine)

Primitives

icmp[0]

  Show only echo reply

tcp[13] & 3 != 0 tcp[tcpflags] & (tcp-syn | tcp-fin) != 0

  show only SYN or FIN packets

tcp[13] & 0x12 != 0 tcp[tcpflags] & (tcp-syn & tcp-ack) != 0

  show only SYN/ACK packets

ip[2,2] > 576

  show only packets longer than 576 bytes

icmp[0] = 3 and icmp[1] = 4

  Show ICMP type 3, code 4 (Needs fragmenting but DF bit set)

ip[6] & 0x40 = 0x40

  Show only IP packets with DF bit set

vlan && ip

  Show only IEEE 802.1q IP packets. Changes the decoding offsets for the remainder of the expression, as if the VLAN header had been stripped away.

vlan 186 && ip

  Show only IP packets in IEEE 802.1q VLAN number 186.

Assorted ip proto 50

  Show only ESP packets (IP protocol 50)

ip proto 112

  show only VRRP packets (IP protocol 112)

proto vrrp

  all VRRP packets (works on IPSO) 
  
  

Examples

Get Cisco network information This gives you lots of nifty Cisco network information like VLAN tag, port and switch information.

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

Dump IPv6 ICMP Packages

tcpdump ip6 and icmp6

Dump traffic over ssh and analyse via etherape and exclude port 22

ssh root@host tcpdump -i eth0 -w - not port 22 | etherape -r -
linux/tcpdump.txt · Last modified: 2013/06/27 14:23 by michel.pelzer