notes blog about

Useful options

-D – list available interfaces

-i INTERFACE – listen on INTERFACE (default: lowest numbered interface)

-w FILE – write raw packets to FILE

-r FILE – read packets from FILE

-nn – turn off host and protocol name resolution (to avoid generating DNS packets)

-s0 – set snaplength to 0, i.e. read the whole packet not just first 68 bytes (default if version >= 4.0)

-t – turn off timestamp entries

-c COUNT – capture COUNT packets and stop

Examples:

tcpdump -nni any -w packets.pcap
tcpdump -nnr packets.pcap

Output format

will vary based upon what protocols are in use …

TCP:

timestamp L3_protocol sIP.sPort > dIP.dPort: TCP_flags,
TCP_sequence_number, TCP_acknowledgement_number, TCP_windows_size,
data_length_in_bytes

UDP:

timestamp L3_protocol sIP.sPort > dIP.dPort: L4_protocol, data_length

Output options

Packet Filtering

tcpdump -nnr packets.pcap 'tcp dst port 8080' -w packets_tcp8080.pcap
tcpdump -nnr packets.pcap -F known_good_hosts.bpf

BPF

           operator
 primitive   |      primitive
     |       |         |
+---------+  | +----------------+
|         |  | |                |
udp port 53 && dst host 192.0.2.2
 |        |
 |        value
qualifier

Qualifiers

Logical operators

Examples

Cookbook

Show HTTP Host header:

stdbuf -oL -eL /usr/sbin/tcpdump -nn -A -s 10240 \
"tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)"

Resources