Useful tcpdump commands and examples
Packet sniffing/capturing is a troubleshooting tool that
many system and network engineers use for troubleshooting. If you're like me who uses Linux a lot, tcpdump is a useful tool that you can use. In this tutorial, I'm listing a couple of frequently used tcpdump commands that I use. I'll keep adding additional interesting commands that I stumble upon over time.
Installing tcpdump
CentOS/RHEL
# yum install tcpdump
Ubuntu/Debian
# apt-get install tcpdump
Examples
tcpdump requires root privileges. Please use a privileged user, or use sudo where applicable.
Running tcpdump and listening on all network interfaces
# tcpdump
Listening on a specific network interface
# tcpdump -i eth0
All my examples have '-i eth0' parameter because I'm used to it. You could choose not to use this parameter depending on your use case, for example if you have only one NIC in the server.
Write packet capture to Wireshark compatible file
Write packet capture to Wireshark compatible file
# tcpdump -i eth0 -w /location/filename.pcap
Capturing a specific port
# tcpdump -i eth0 port 80
Capturing DNS traffic
# tcpdump -i eth0 udp port 53
Capturing all traffic except SSH
# tcpdump -i eth0 port not 22
Capturing ICMP traffic
Combining multiple filters with AND/OR
# tcpdump -i eth0 icmp
# tcpdump -i eth0 port 80 or port 443
# tcpdump -i eth0 port 80 or port 443 and host IP.ADDR.OF.HOST
# tcpdump -i eth0 port 80 or port 443 and host IP.ADDR.OF.HOST
Excluding specific hosts or ports
# tcpdump -i eth0 port not 22
# tcpdump -i eth0 host not IP.ADDR.0F.HOST
# tcpdump -i eth0 host IP.ADDR.OF.HOST and port not 22
# tcpdump -i eth0 host not IP.ADDR.0F.HOST
# tcpdump -i eth0 host IP.ADDR.OF.HOST and port not 22
Hope this helps.
Comments
Post a Comment