How To Capture Packets with TCPDUMP?

See the list of interfaces on which tcpdump can listen
# /usr/sbin/tcpdump -D

Listen on any available interface
# /usr/sbin/tcpdump -i any

Verbose Mode
# /usr/sbin/tcpdump -v
# /usr/sbin/tcpdump -vv
# /usr/sbin/tcpdump -vvv
# /usr/sbin/tcpdump -q

Limit the capture to an number of  packets N
# /usr/sbin/tcpdump -c N

Display IP addresses and port numbers when capturing packets
# /usr/sbin/tcpdump -n

Capture any packets where the destination host is 192.168.0.1, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst host 192.168.0.1

Capture any packets where the source host is 192.168.0.1, display IP addresses and port numbers
# /usr/sbin/tcpdump -n src host 192.168.0.1

Capture any packets where the source or destination host is 192.168.0.1, display IP addresses and port numbers
# /usr/sbin/tcpdump -n host 192.168.0.1

Capture any packets where the destination network is 192.168.10.0/24, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst net 192.168.10.0/24

Capture any packets where the source network is 192.168.10.0/24, display IP addresses and port numbers
# /usr/sbin/tcpdump -n src net 192.168.10.0/24

Capture any packets where the source or destination network is 192.168.10.0/24,display IP addresses and port numbers
# /usr/sbin/tcpdump -n net 192.168.10.0/24

Capture any packets where the destination port is 23, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive,display IP addresses and port numbers
# /usr/sbin/tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive, display IP addresses and port numbers
# /usr/sbin/tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.0.1 and destination port 23,display IP addresses and port numbers
# /usr/sbin/tcpdump -n "dst host 192.168.0.1 and dst port 23"

Capture any packets with destination IP 192.168.0.1 and destination port 80 or 443,display IP addresses and port numbers
# /usr/sbin/tcpdump -n "dst host 192.168.0.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets
# /usr/sbin/tcpdump -v icmp

Capture any ARP packets
# /usr/sbin/tcpdump -v arp

Capture either ICMP or ARP packets
# /usr/sbin/tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast
# /usr/sbin/tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes
# /usr/sbin/tcpdump -s 500

Capture all bytes of data within the packet
# /usr/sbin/tcpdump -s 0

Monitor all packets on eth1 interface
# /usr/sbin/tcpdump -i eth1

Monitor all traffic on port 80 ( HTTP )
# /usr/sbin/tcpdump -i eth0 'port 80'

Monitor all traffic on port 25 ( SMTP )
# /usr/sbin/tcpdump -vv -x -X -s 1500 -i eth0 'port 25'

Capture only N number of packets using tcpdump -c
# /usr/sbin/tcpdump -c 2 -i eth0

Display Captured Packets in ASCII using tcpdump -A
# /usr/sbin/tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII using tcpdump -XX
# /usr/sbin/tcpdump -XX -i eth0

Capture the packets and write into a file using tcpdump -w
# /usr/sbin/tcpdump -w data.pcap -i eth0
.pcap is extension

Reading the packets from a saved file using tcpdump -r
# /usr/sbin/tcpdump -tttt -r data.pcap

Capture packets with IP address using tcpdump -n
# /usr/sbin/tcpdump -n -i eth0

Capture packets with proper readable timestamp using tcpdump -tttt
# /usr/sbin/tcpdump -n -tttt -i eth0

Read packets longer than N bytes
# /usr/sbin/tcpdump -w data.pcap greater 1024

Read packets lesser than N bytes
# /usr/sbin/tcpdump -w data1024.pcap  less 1024

Receive only the packets of a specific protocol type
# /usr/sbin/tcpdump -i eth0 arp

Receive packets flows on a particular port using tcpdump port
# /usr/sbin/tcpdump -i eth0 port 22

Capture packets for particular destination IP and Port
# /usr/sbin/tcpdump -w data.pcap -i eth0 dst 10.181.140.216 and port 22

Capture TCP communication packets between two hosts
# /usr/sbin/tcpdump -w data.pcap -i eth0 dst 16.181.170.246 and port 22

Tcpdump Filter Packets – Capture all the packets other than arp and rarp
# /usr/sbin/tcpdump -i eth0 not arp and not rarp

1 comment:

The Geeks said...

hi...Im student from Informatics engineering nice article,
thanks for sharing :)