Tcpdump is a CLI tool to capture raw network packets. This is useful for various forms of network troubleshooting. This cheat sheet covers all the basic and advanced options for tcpdump.
Tcpdump command is a famous network packet analyzing tool that is used to display TCP\IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.
Capture ICMP Packets With Tcpdump
Debugging SSH Packets with Tcpdump
Using Tcpdump to Filter DNS Packets
Linux Tcpdump: Filter ipv6 ntp ping packets
Tcpdump: capture DHCP & DHCPv6 packets
20 Advanced Tcpdump Examples On Linux
10 Useful tcpdump command examples
Tcpdump is one of the best network analysis-tools ever for information security professionals. Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.
Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
- The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
- The second is -X, which displays both hex and ascii content within the packet.
- The final one is -S, which changes the display of sequence numbers to absolute rather than relative.
tcpdump -X ....
tcpdump -XX
tcpdump -D
tcpdump -l
tcpdump -q
tcpdump -t :
tcpdump -tttt :
tcpdump -i eth0
tcpdump -vv
tcpdump -c
Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
tcpdump -s
tcpdump -S
tcpdump -e
tcpdump -E
-
Find all options here
tcpdump -D
tcpdump --list-interfaces
tcpdump -nnSX port 443
tcpdump host 1.1.1.1
tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1
tcpdump net 1.2.3.0/24
tcpdump -nnvvS
tcpdump -nnvvXS
tcpdump -nnvvXSs 1514
- Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.
and or &&
or or ||
not or !
tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'
tcpdump 'tcp[13] & 32 != 0'
tcpdump 'tcp[13] & 16 != 0'
tcpdump 'tcp[13] & 8 != 0'
tcpdump 'tcp[13] & 4 != 0'
tcpdump 'tcp[13] & 2 != 0'
tcpdump 'tcp[13] & 1 != 0'
tcpdump 'tcp[13] = 18'
tcpdump 'tcp[13] = 6'
tcpdump 'ip[6] & 128 != 0'
tcpdump ip6
tcpdump -A -i eth0
tcpdump -XX -i eth0
tcpdump -w 0001.pcap -i eth0
tcpdump -r 0001.pcap
tcpdump -n -i eth0
tcpdump -i eth0 tcp
tcpdump -i eth0 port 22
tcpdump -i eth0 src 192.168.0.2
tcpdump -i eth0 dst 50.116.66.139
tcpdump -n src host x.x.x.x
tcpdump -n host x.x.x.x
tcpdump -n dst host x.x.x.x
tcpdump -n src host x.x.x.x
tcpdump -n dst net x.x.x.0/24
tcpdump -n src net x.x.x.0/24
tcpdump -n dst port x
tcpdump -n src port x
tcpdump -n dst(or src) portrange x-y
tcpdump -n tcp(or udp) dst(or src) portrange x-y
tcpdump -n "dst host x.x.x.x and dst port y"
tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"
tcpdump -v icmp(or arp)
tcpdump -i eth0 -w cap.txt
tcpdump -c 1 -X icmp
tcpdump port 3389
tcpdump src port 1025
tcpdump icmp
tcpdump host 1.1.1.1
tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1
tcpdump net 1.2.3.0/24
tcpdump -c 1 -X icmp
tcpdump port 3389
tcpdump src port 1025
tcpdump icmp
tcpdump ip6
tcpdump portrange 21-23
tcpdump less 32
tcpdump greater 64
tcpdump <= 128
tcpdump => 128
tcpdump port 80 -w capture_file
tcpdump -r capture_file
tcpdump -ttnnvvS
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
tcpdump dst 192.168.0.2 and src net and not icmp
tcpdump -vv src mars and not dst port 22
tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'
tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'
tcpdump 'tcp[13]=18'
tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'
tcpdump 'tcp[13] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'
tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-psh'
tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'
tcpdump 'tcp[13] = 6'
tcpdump -vvAls0 | grep 'User-Agent:'
tcpdump -nn -A -s1500 -l | grep "User-Agent:"
By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.
tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"
tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'
tcpdump -n icmp
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'
tcpdump dst port 123
tcpdump -nn -v port ftp or ftp-data
tcpdump -w /tmp/capture-%H.pcap -G 3600 -C 200
tcpdump -nn ip6 proto 6
tcpdump -nr ipv6-test.pcap ip6 proto 17
tcpdump -nn
-
On Target:
nmap -p 80 --script=http-enum.nse targetip
-
On Server:
tcpdump -nn port 80 | grep "GET /" GET /w3perl/ HTTP/1.1 GET /w-agora/ HTTP/1.1 GET /way-board/ HTTP/1.1 GET /web800fo/ HTTP/1.1 GET /webaccess/ HTTP/1.1 GET /webadmin/ HTTP/1.1 GET /webAdmin/ HTTP/1.1
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
tcpdump -i wlp58s0 -s0 port 53
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '
tcpdump -v -n port 67 or 68
tcpdump -vvAls0 | grep 'GET'
tcpdump -vvAls0 | grep 'Host:'
tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
tcpdump -vvAs0 port 53
tcpdump -vvAs0 port ftp or ftp-data
tcpdump -vvAs0 port 123
tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'
tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'
tcpdump 'ip[6] & 128 != 0'
tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0'
Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):
tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
tcpdump -v -n ip and ip[1]!=0
tcpdump -v ip and 'ip[8]<2'
tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'
In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured
tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'
tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'
tcpdump -vv -e -nn ether proto 0x0806
tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'
tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'
tcpdump -v -n icmp
tcpdump -q -i eth0
tcpdump -t -i eth0
tcpdump -A -n -q -i eth0 'port 80'
tcpdump -A -n -q -t -i eth0 'port 80'
tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'
tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4
tcpdump -i any -c10 -nn -A port 80
sudo tcpdump -i any -c10 -nn -A port 80