forked from andrewjkerr/security-cheatsheets
-
Notifications
You must be signed in to change notification settings - Fork 1
/
tcpdump
61 lines (43 loc) · 1.9 KB
/
tcpdump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
###############
# Basic Usage #
###############
#Capture packets on a particular interface (eth0)
#Note that tcpdump (without the '-i eth0') is also valid if you are only using one interface
tcpdump -i eth0
#Capture packets with more detailed output
tcpdump -i eth0 -nnvvS
#Display captured packets in both HEX and ASCII format
tcpdump -XX -i eth0
#Write captured packets into a file (can be read by tools such as Wireshark, Snort, etc)
tcpdump -w yourfilename.pcap -i eth0
#Read packets from a saved packet capture file
tcpdump -tttt -r yoursavedfile.pcap
#Display IP addresses instead of hostnames when capturing packets
tcpdump -n -i eth0
#Capture packets from a particular source/destination IP address
tcpdump src 192.168.1.1
tcpdump dst 192.168.1.1
#Capture packets from a particular source/destination port number
tcpdump src port 53
tcpdump dst port 21
#Capture an entire network's traffic using CIDR notation
tcpdump net 192.168.1.0/24
#Capture traffic to or from a port
tcpdump port 3389
#Display captured packets above or below a certain size (in bytes)
tcpdump less 64
tcpdump greater 256
##################
# Advanced Usage #
##################
#More complex statements can be formed with the use of logical operators: and(&&), or(||), not(!)
#Examples:
#Capture all traffic from 192.168.1.10 with destination port 80 (with verbose output)
tcpdump -nnvvS and src 192.168.1.10 and dst port 80
#Capture traffic originating from the 172.16.0.0/16 network with destination network 192.168.1.0/24 or 10.0.0.0/8
tcpdump src net 172.16.0.0/16 and dst net 192.168.1.0/24 or 10.0.0.0/8
#Capture all traffic originating from host H1 that isn't going to port 53
tcpdump src H1 and not dst port 22
#With some complex queries you may have to use single quotes to ignore special characters, namely parentheses
#Capture traffic from 192.168.1.1 that is destined for ports 80 and 21
tcpdump 'src 192.168.1.1 and (dst port 80 or 21)'