Tcpdump dumps traffic on a network, tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.
I don't like to show command syntax, but perhaps easier to get started with syntax.
The basic syntax is
tcpdump Protocol Direction Host(s) Value Logical Operations Other expression
tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128
Here are value list
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".
Here are some examples:
Standard TCPdump output:
-c is to only show specified number of packets.
# tcpdump -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:25:22.343207 IP 1.aaa.bbb.ccc.ssh > aaa.bbb.ccc.47596: Flags [P.], seq 452683986:452684178, ack 2662406039, win 21, length 192
Check network interfaces available for the capture:
# tcpdump -v -D
-v verbose output, -D device
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.usbmon4 (USB bus number 4)
6.usbmon5 (USB bus number 5)
7.usbmon6 (USB bus number 6)
8.usbmon7 (USB bus number 7)
9.any (Pseudo-device that captures on all interfaces)
Three often used parameters
-i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.
-q Quick (quiet?) output. Print less protocol information so output lines are shorter.
-n Don't convert host addresses to names. This can be used to avoid DNS lookups.
Capture the traffic of a particular interface:
Display all traffic coming from a host
#tcpdump -i eth0 src 10.0.19.9 and port 8080
Display all traffic to a host
tcpdump -i eth0 dst 10.0.19.9 and port 8080
Display all traffic between you host to another host
tcpdump -i eth0 10.0.19.9
Network filtering :
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168
Protocol filtering :
# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp
Combined expressions :
Negation : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate : || or "or"
- This rule will match any TCP traffic on port 80 (web) with 10.0.19.9 or 10.0.19.10 as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 10.0.19.9) or (dst host 10.0.9.10)))'
- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'
- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'
It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump
For more advanced use case, I found this one is good.