Tcpdump

Older versions of tcpdump truncate packets to 68 or 96 bytes.

Format

time-stamp src > dst:  flags  data-seqno  ack  window urgent options

Cheatsheet

tcpdump

Commands

  • Print the list of the network interfaces: tcpdump -D
  • Filter out packets with IP source or destination port 22: tcpdump not port 22
  • Filter out arp and port 22: tcpdump not arp and not port 22
  • TCP traffic from 192.168.1.30 destined for port 80: tcpdump tcp and src 192.168.1.30 and dst port 80
  • Capture all trafic: tcpdump -s 0 -i <interface> -w /tmp/dump.pcap
  • Traffic from 192.168.1.30 AND destined for ports 80 or 443: tcpdump 'src 192.168.1.30 and \(dst port 80 or 443\)'
  • Display all ACK packets: tcpdump 'tcp[13] & 16 != 0'
  • Display all SYN packets: tcpdump 'tcp[13] & 2 != 0' or tcpdump 'tcp[tcpflags] == tcp-syn'
  • Display all SYN-ACK packets: tcpdump 'tcp[13] = 18'
  • Find HTTP user agents: tcpdump -vvAls0 | grep 'User-Agent:'
  • Top 10 hosts by packets: tcpdump -nn -t -c 1000 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -rn | head -n 10
  • Find cleartext passwords: tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

  • Capture everything in a file: tcpdump -i eth0 -n -w /tmp/$(hostname)-$(date +"%Y-%m-%d-%H-%M-%S").pcap