tcpdump useful commands

92

tcpdump is a packet sniffing command line tool to capture TCP/IP packets that are received or transmitted on a specific interface. This tool has been used widely for troubleshooting purpose, as well as for security assessments. The output of tcpdump command can be viewed using free wireshark tool.

tcpdump cli optionsDescription
tcpdump -i 2.1To view the traffic on a single specific interface.
tcpdump -i internalTo view the traffic on a specific VLAN called internal.
tcpdump -i eth0To view the traffic on the management interface.
tcpdump -i 0.0To view the traffic on all interfaces. It creates potentially large files, hence use filters to limit the size of files.
tcpdump -niBy default, tcpdump attempts to resolve names for IP address, and wait for response from DNS Server, so this process can be time consuming. To disable name resolution, use -n flag
tcpdump -w tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C
tcpdump -s0To specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero).
tcpdump filtersDescription
tcpdump host 10.90.100.1To view all packets that are traveling to or from a specific IP address.
tcpdump src host 10.90.100.1To view all packets that are traveling from a specific IP address.
tcpdump dst host 10.90.100.1To view all packets that are traveling to a particular IP address.
tcpdump port 80To view all packets that are either sourced from or destined to a specific port.
tcpdump src port 80To view all packets that are sourced from a specific port.
tcpdump dst port 80To view all packets that are destined to a specific port.

The above commands can be combined as below

tcpdump src host 172.16.101.20 and dst host 10.90.100.1

tcpdump -ni 0.0.nnn -s0 -w /var/tmp/capjun2018.dmp

 

If you are troubleshooting a case with F5 appliance, you must also know about capturing extended TMM data with tcpdump, click this link to read the article.

tcpdump -i <interface>:<noise amplitude>

The noise amplitude defines the level of TMM details included in the packet capture. The following noise levels may be captured:

n: Low details
nn: Low and medium details
nnn: Low, medium, and high details

·


Related Articles & Comments

Menu Title
%d bloggers like this: