csereno/tcpdump_commands.md

Last active February 11, 2019 19:09

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/csereno/454da049a43d1dddc68d73a6fcf2c8a3.js"></script>
Save csereno/454da049a43d1dddc68d73a6fcf2c8a3 to your computer and use it in GitHub Desktop.

Download ZIP

TCPDump Commands

Raw

tcpdump_commands.md

Determine interface

tcpdump -D

Capture and Display Top Conversations

tcpdump -i eth1 -tnn -c 20000 | awk -F " " '{print $2" "$3" "$4}' | sort | uniq -c | sort -nr | more

Read a file

tcpdump -qns 0 -A -r file.pcap

Command to allow tcpdump/dumpcap to execute as any user instead of root:

chmod u+s /usr/bin/dumpcap

Restrictive method:

groupadd netcapture
usermod -a -G netcapture _username_ 
chgrp netcapture /usr/sbin/dumpcap
chgrp netcapture /usr/sbin/tshark
chmod 750 /usr/sbin/dumpcap
chmod 750 /usr/sbin/tshark
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tshark

Raw

tcpdump_filters.md

URGENT (URG) packets...

tcpdump 'tcp[13] & 32!=0'

ACKNOWLEDGE (ACK) packets...

tcpdump 'tcp[13] & 16!=0'

PUSH (PSH) packets...

tcpdump 'tcp[13] & 8!=0'

Range of IP Addresses

tcpdump -c 20 -i eth1 -nn -f "net __ipaddress__ and (((ip[15] > 132) and (ip[15] < 135)) or ((ip[19] > 132) and (ip[19] < 135)))"

RESET (RST) packets...

tcpdump 'tcp[13] & 4!=0'

SYNCHRONIZE (SYN) packets...

tcpdump 'tcp[13] & 2!=0'

FINISH (FIN) packets...

tcpdump 'tcp[13] & 1!=0'

SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...

tcpdump 'tcp[13]=18'

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]