Packet Analyzer

See the list of interfaces on which tcpdump can listen: (1)
Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater): (2)

1. tcpdump -D
2. tcpdump -i any

Capture packets from a particular ethernet interface using tcpdump -i When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface.

tcpdump -i eth1

Capture verbose, more verbose and very verbose:

tcpdump -v, tcpdump -vv, tcpdump -vvv

Capture only N number of packets using tcpdump -c When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.

tcpdump -c 2 -i eth0

Display Captured Packets in ASCII using tcpdump -A The following tcpdump syntax prints the packet in ASCII.

tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII using tcpdump -XX The following tcpdump syntax prints the packet in ASCII.

tcpdump -XX -i eth0

Be verbose and print the data of each packet in both hex and ASCII, excluding and include the link level header:

tcpdump -v -X, tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Capture the packets and write into a file using tcpdump -w display on-screen -v tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.

tcpdump -w 08232010.pcap -i eth0

Reading the packets from a saved file using tcpdump -r You can read the captured pcap file and view the packets for analysis, as shown below.

tcpdump -tttt -r data.pcap

Capture packets with IP address using tcpdump -n In all the above examples, it prints packets with the DNS address, but not the ip address. The following example captures the packets and it will display the IP address of the machines involved.

tcpdump -n -i eth0

Capture packets with proper readable timestamp using tcpdump -tttt

tcpdump -n -tttt -i eth0

Read packets longer than N bytes You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command

tcpdump -w g_1024.pcap greater 1024

Receive only the packets of a specific protocol type You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interface.

tcpdump -i eth0 arp

Read packets lesser than N bytes You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command

tcpdump -w l_1024.pcap less 1024

Receive packets flows on a particular port using tcpdump port If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.

tcpdump -i eth0 port 22

Capture packets for particular destination IP and Port The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth0, with a particular destination ip and port number 22.

tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

To print all packets arriving at or departing from sundown:

tcpdump host sundown

To print traffic between helios and either hot or ace:

tcpdump host helios and \( hot or ace \)

To print all IP packets between ace and any host except helios:

tcpdump ip host ace and not helios

To print all traffic between local hosts and hosts at Berkeley:

tcpdump net ucb-ether

To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

tcpdump 'gateway snup and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To print IP packets longer than 576 bytes sent through gateway snup:

tcpdump 'gateway snup and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture any packets where the source or destination host, destination host or source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1, tcpdump -n dst host 192.168.1.1 and tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination network, destination network or source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.0/24, tcpdump -n dst host 192.168.1.0/24 and tcpdump -n src host 192.168.1.0/24

Capture only TCP packets, only UDP packets and any packet where the destination port is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023, tcpdump -n udp dst portrange 1-1023 and tcpdump -n dst portrange 1-1023

Capture TCP communication packets between two hosts If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.

tcpdump -w comm.pcap -i eth0 dst 16.181.170.246 and port 22

tcpdump Filter Packets – Capture all the packets other than arp and rarp In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.

tcpdump -i eth0 not arp and not rarp

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0