Farid Ahmadian / General

tcpdump examples

Public domain


# tcpdump -i eth1 -nq
    -i : Listen on interface.
    -n : Don't convert host addresses to names.
    -q : Quick (quiet?) output.

# tcpdump -i eth1 -nq -xX -c 6 -e
    -x : Print each packet (minus its link level header) in hex.
    -X : When printing hex, print ascii too.
    -c : Exit after receiving count packets.
    -e : Print the link-level header on each dump line

# tcpdump -i eth1 -nq -xX -c 6 -w test
    -w : Write the raw packets to file.

# tcpdump -i eth1 -nq -xX -c 6 -r test
    -r : Read packets from file.

# tcpdump -i eth0 -nq net 172.16.10
# tcpdump -i eth0 -nq net 172.16.10 and port 80
# tcpdump -i eth0 -nq net 172.16.10 and not port 22
# tcpdump -i eth0 -nq src net 172.16.10 and not port 22
# tcpdump -i eth0 -nq dst 172.16.10.248 and not port 22 and udp

# tcpdump -i ppp0 -nq -G 3600 -w dump--%F--%H-%M-%S.dump "not src or dst 8.8.8.8 and not src or dst 4.2.2.4"
    -G : rotate seconds

# tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and less 512
    less : True if the packet has a length less than or equal to length

# tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and greater 32
    greater : True if the packet has a length greater than or equal to length.

# tcpdump -i eth0 -nq ether broadcast
    broadcast : True if the packet is an ethernet broadcast packet.

# tcpdump -i eth1 -enq ether host "00:15:6d:b6:05:73"
     Show specific source or destination mac address

# tcpdump -i ppp0 -nq icmp[icmptype] = icmp-echoreply or icmp[icmptype] = icmp-echo

# man pcap-filter
     packet filter syntax manual

Read complete packet

tcpdump -enn -vvv -XX -Ss0 -tttt -i eth0 host 192.168.1.10

BY: Pejman Moghadam
TAG: tcpdump
DATE: 2011-03-29 13:17:29


Farid Ahmadian / General [ TXT ]

With many thanks and best wishes for dear Pejman Moghadam, someone who taught me alot in linux and life :)