tcpdump

`Commands`

Prints the tcpdump and libpcap version strings then exits:

tcpdump --version

Prints a list of usable network interfaces to capture from:

tcpdump -D

Utilizes the interface specified to capture on:

tcpdump -i InterfaceName

Combine Filters Using AND (&&)

tcpdump src host 192.168.1.1 && port 80

Combine Filters Using OR (or)

tcpdump src host 192.168.1.1 or dst host 192.168.1.2

Exclude Specific Traffic Using NOT (not)

tcpdump not udp

Do Not Resolve Hostnames:

tcpdump -n

Do Not Resolve Hostnames or Ports:

tcpdump -nn

Capture Ethernet Headers and Data:

tcpdump -e

Show Packet Contents in Hex and ASCII:

tcpdump -X

Show Ethernet Header + Packet Contents in Hex and ASCII

tcpdump -XX

Increase Verbosity:

tcpdump -v
tcpdump -vv
tcpdump -vvv

Capture a Specific Number of Packets:

tcpdump -c 10

Limit the Amount of Data to Capture from Each Packet:

tcpdump -s 64

Filter by Packet Size:

tcpdump greater 1000
tcpdump less 500

Show Absolute Sequence Numbers in TCP:

tcpdump -S

Reduce Protocol Information in the Output:

tcpdump -q

Filter by Source or Destination Host:

tcpdump src host 192.168.1.1
tcpdump dst host 192.168.1.1

Filter by Network

tcpdump net 192.168.1.0/24

Runs a capture on the specified interface and writes the output to a file:

tcpdump -i InterfaceName -w file.pcap

Read the output from a specified file:

tcpdump -r file.pcap

Write Packets to a File

tcpdump -w capture_file.pcap

Only capture traffic originating from or destined to the IP address or hostname specified:

tcpdump -i (int) host (ip)

Will filter the capture for anything sourcing from or destined to port:

tcpdump -i (int) port (#)

Filter by Port Range

tcpdump portrange 1000-2000

Will utilize a protocols common name to filter the traffic captured:

tcpdump -i (int) proto ICMP

Will filter the capture for any protocol traffic matching their code:

tcpdump -i (int) proto 6

`Protocol Number List`

ICMP (Internet Control Message Protocol) -> 1
IGMP (Internet Group Management Protocol) -> 2
TCP (Transmission Control Protocol) -> 6
UDP (User Datagram Protocol) -> 17
OSPF (Open Shortest Path First) -> 89
EIGRP (Enhanced Interior Gateway Routing Protocol) -> 88
AH (Authentication Header) -> 51
ESP (Encapsulating Security Payload) -> 50
GRE (Generic Routing Encapsulation) -> 47
IPv6 (Internet Protocol version 6) -> 41
IPv4 (Internet Protocol version 4) -> 4
DCCP (Datagram Congestion Control Protocol) -> 33
SCTP (Stream Control Transmission Protocol) -> 132
RARP (Reverse Address Resolution Protocol) -> 3
PPTP (Point-to-Point Tunneling Protocol) -> 115
MPLS (Multiprotocol Label Switching) -> 89
X.25 -> 93
FDDI (Fiber Distributed Data Interface) -> 97

PreviousNetcat NextNmap

Last updated 2 months ago

tcpdump

`Commands`

Prints the tcpdump and libpcap version strings then exits:

tcpdump --version

Prints a list of usable network interfaces to capture from:

tcpdump -D

Utilizes the interface specified to capture on:

tcpdump -i InterfaceName

Combine Filters Using AND (&&)

tcpdump src host 192.168.1.1 && port 80

Combine Filters Using OR (or)

tcpdump src host 192.168.1.1 or dst host 192.168.1.2

Exclude Specific Traffic Using NOT (not)

tcpdump not udp

Do Not Resolve Hostnames:

tcpdump -n

Do Not Resolve Hostnames or Ports:

tcpdump -nn

Capture Ethernet Headers and Data:

tcpdump -e

Show Packet Contents in Hex and ASCII:

tcpdump -X

Show Ethernet Header + Packet Contents in Hex and ASCII

tcpdump -XX

Increase Verbosity:

tcpdump -v
tcpdump -vv
tcpdump -vvv

Capture a Specific Number of Packets:

tcpdump -c 10

Limit the Amount of Data to Capture from Each Packet:

tcpdump -s 64

Filter by Packet Size:

tcpdump greater 1000
tcpdump less 500

Show Absolute Sequence Numbers in TCP:

tcpdump -S

Reduce Protocol Information in the Output:

tcpdump -q

Filter by Source or Destination Host:

tcpdump src host 192.168.1.1
tcpdump dst host 192.168.1.1

Filter by Network

tcpdump net 192.168.1.0/24

Runs a capture on the specified interface and writes the output to a file:

tcpdump -i InterfaceName -w file.pcap

Read the output from a specified file:

tcpdump -r file.pcap

Write Packets to a File

tcpdump -w capture_file.pcap

Only capture traffic originating from or destined to the IP address or hostname specified:

tcpdump -i (int) host (ip)

Will filter the capture for anything sourcing from or destined to port:

tcpdump -i (int) port (#)

Filter by Port Range

tcpdump portrange 1000-2000

Will utilize a protocols common name to filter the traffic captured:

tcpdump -i (int) proto ICMP

Will filter the capture for any protocol traffic matching their code:

tcpdump -i (int) proto 6

`Protocol Number List`

ICMP (Internet Control Message Protocol) -> 1
IGMP (Internet Group Management Protocol) -> 2
TCP (Transmission Control Protocol) -> 6
UDP (User Datagram Protocol) -> 17
OSPF (Open Shortest Path First) -> 89
EIGRP (Enhanced Interior Gateway Routing Protocol) -> 88
AH (Authentication Header) -> 51
ESP (Encapsulating Security Payload) -> 50
GRE (Generic Routing Encapsulation) -> 47
IPv6 (Internet Protocol version 6) -> 41
IPv4 (Internet Protocol version 4) -> 4
DCCP (Datagram Congestion Control Protocol) -> 33
SCTP (Stream Control Transmission Protocol) -> 132
RARP (Reverse Address Resolution Protocol) -> 3
PPTP (Point-to-Point Tunneling Protocol) -> 115
MPLS (Multiprotocol Label Switching) -> 89
X.25 -> 93
FDDI (Fiber Distributed Data Interface) -> 97

PreviousNetcat NextNmap

Last updated 2 months ago