TCPDump Quick Reference

published: 13th of July 2017

Intro

TCPDump is a tool for sniffing packets on a network. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for indepth explanation of commands.

Capturing Traffic

All Traffic for an interface

-i <interface-name> specifies an interface.

    cmd
  
    sudo tcpdump -i eth1

Source Address

    cmd
  
    sudo tcpdump -i eth1 src 172.16.20.220

Destination Address

    cmd
  
    sudo tcpdump -i eth1 dst 8.8.8.8

ARP

    cmd
  
    sudo tcpdump -i eth1 arp

ICMP

    cmd
  
    sudo tcpdump -i eth1 icmp and dst 9.9.9.9

DHCP

    cmd
  
    sudo tcpdump -i eth1 port 67 or port 68

DNS

Capture TCP and UDP

    cmd
  
    sudo tcpdump -i eth1 port 53

Capture UDP only

    cmd
  
    sudo tcpdump -i eth1 udp port 53

SNMP

    cmd
  
    sudo tcpdump -i eth1 port 161 or port 162

Ethernet

Host address

    cmd
  
    sudo tcpdump ether host aa:bb:cc:11:22:33

File Output

PCAP File
-w <path-to-file>.pcap specifies pcap file location.

    cmd
  
    sudo tcpdump -i eth1 -w /tmp/capture.pcap

Limit Capture

Capture number of packets

    cmd
  
    sudo tcpdump -i eth1 icmp -c 4

Capture to size of file

    cmd
  
    sudo tcpdump -i eth1 icmp -C 10 -w /tmp/capture.pcap