Introduction

TCPDump is a tool for sniffing packets on a network. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for indepth explanation of commands.

Capturing Traffic

All Traffic for an interface

-i <interface-name> specifies an interface.


sudo tcpdump -i eth1
            
Source Address

sudo tcpdump -i eth1 src 172.16.20.220
            
Destination Address

sudo tcpdump -i eth1 dst 8.8.8.8
            
ARP

sudo tcpdump -i eth1 arp
            
ICMP

sudo tcpdump -i eth1 icmp and dst 9.9.9.9
            
DHCP

sudo tcpdump -i eth1 port 67 or port 68
            
DNS

Capture TCP and UDP


sudo tcpdump -i eth1 port 53
            

Capture UDP only


sudo tcpdump -i eth1 udp port 53
            
SNMP

sudo tcpdump -i eth1 port 161 or port 162
            

Ethernet

Host address

sudo tcpdump ether host aa:bb:cc:11:22:33
            

File Output

PCAP File
-w <path-to-file>.pcap specifies pcap file location.

sudo tcpdump -i eth1 -w /tmp/capture.pcap
            

Limit Capture

Capture number of packets

sudo tcpdump -i eth1 icmp -c 4
            
Capture to size of file

sudo tcpdump -i eth1 icmp -C 10 -w /tmp/capture.pcap
            

Links

http://www.tcpdump.org/






















Last Updated: 2018-07-13