Most common tcpdump command examples

Below is the list of tcpdump command usages with different options available in linux.

Capture Packets from Specific Interface # tcpdump -i eth0
Capture Only N Number of Packets # tcpdump -c 5 -i eth0
Print Captured Packets in ASCII # tcpdump -A -i eth0
Display Available Interfaces # tcpdump -D
Be verbose while capturing packets: # tcpdump -v
Be more verbose while capturing packets: # tcpdump -vv
Be very verbose while capturing packets: # tcpdump -vvv
Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header: # tcpdump -v -X
Be verbose and print the data of each packet in both hex and ASCII, also including the link level header: # tcpdump -v -XX
Be less verbose (than the default) while capturing packets: # tcpdump -q
Display Captured Packets in HEX and ASCII # tcpdump -XX -i eth0
Capture and Save Packets in a File # tcpdump -w 0001.pcap -i eth0
Read Captured Packets File # tcpdump -r 0001.pcap
Capture IP address Packets # tcpdump -n -i eth0
Capture only TCP Packets. # tcpdump -i eth0 tcp
Capture Packet from Specific Port # tcpdump -i eth0 port 22
Capture Packets from source IP # tcpdump -i eth0 src 192.168.0.2
Capture Packets from destination IP # tcpdump -i eth0 dst 50.116.66.139
Limit the capture to 100 packets: # tcpdump -c 100
Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time: # tcpdump -v -w capture.cap

 

Display the packets using maximum detail of a file called capture.cap: # tcpdump -vvv -r capture.cap
Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers): # tcpdump -n
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers: # tcpdump -n dst host 192.168.1.1
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers: # tcpdump -n src host 192.168.1.1
Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers: # tcpdump -n host 192.168.1.1
Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers: # tcpdump -n dst net 192.168.1.0/24
Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers: # tcpdump -n src net 192.168.1.0/24
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers: # tcpdump -n net 192.168.1.0/24
Capture any packets where the destination port is 23. Display IP addresses and port numbers: # tcpdump -n dst port 23
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: # tcpdump -n dst portrange 1-1023
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: # tcpdump -n tcp dst portrange 1-1023
Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: # tcpdump -n udp dst portrange 1-1023
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers: # tcpdump -n “dst host 192.168.1.1 and dst port 23”
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers: # tcpdump -n “dst host 192.168.1.1 and (dst port 80 or dst port 443)”
Capture any ICMP packets: # tcpdump -v icmp
Capture any ARP packets: # tcpdump -v arp
Capture either ICMP or ARP packets: # tcpdump -v “icmp or arp”
Capture any packets that are broadcast or multicast: # tcpdump -n “broadcast or multicast”
Capture 500 bytes of data for each packet rather than the default of 68 bytes: # tcpdump -s 500
Capture all bytes of data within the packet: # tcpdump -s 0
This entry was posted in Computer Networking, Linux and tagged , . Bookmark the permalink.