Tcpdump is a CLI tool to capture raw network packets. This is useful for various forms of network troubleshooting. This cheat sheet covers all the basic and advanced options for tcpdump.
Tcpdump cheat sheet
how-to-use-tcpdump
Tcpdump command is a famous network packet analyzing tool that is used to display TCPIP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.
Capture ICMP Packets With Tcpdump
Debugging SSH Packets with Tcpdump
Using Tcpdump to Filter DNS Packets
Learn tcpdump Quick Guide
Linux Tcpdump: Filter ipv6 ntp ping packets
Tcpdump: capture DHCP & DHCPv6 packets
20 Advanced Tcpdump Examples On Linux
10 Useful tcpdump command examples
TCPDUMP
README
Tcpdump is one of the best network analysis-tools ever for information security professionals.
Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.
OPTIONS
Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)
- The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
- The second is -X, which displays both hex and ascii content within the packet.
- The final one is -S, which changes the display of sequence numbers to absolute rather than relative.
Show the packet’s contents in both hex and ascii.
代码语言:txt复制tcpdump -X .... Same as -X, but also shows the ethernet header.
代码语言:txt复制tcpdump -XXShow the list of available interfaces
代码语言:txt复制tcpdump -DLine-readable output (for viewing as you save, or sending to other commands)
代码语言:txt复制tcpdump -lBe less verbose (more quiet) with your output.
代码语言:txt复制tcpdump -qGive human-readable timestamp output.
代码语言:txt复制tcpdump -t :Give maximally human-readable timestamp output.
代码语言:txt复制tcpdump -tttt : Listen on the eth0 interface.
代码语言:txt复制tcpdump -i eth0Verbose output (more v’s gives more output).
代码语言:txt复制tcpdump -vv Only get x number of packets and then stop.
代码语言:txt复制tcpdump -c Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
代码语言:txt复制tcpdump -s Print absolute sequence numbers.
代码语言:txt复制tcpdump -S Get the ethernet header as well.
代码语言:txt复制tcpdump -e Decrypt IPSEC traffic by providing an encryption key.
代码语言:txt复制tcpdump -EFor more options, read manual:
- Find all options here
- Linux Tcpdump: Filter ipv6 ntp ping packets
- Tcpdump: capture DHCP & DHCPv6 packets
- 20 Advanced Tcpdump Examples On Linux
- 10 Useful tcpdump command examples
BASIC USAGE
Display Available Interfaces
代码语言:txt复制tcpdump -Dtcpdump --list-interfacesLet’s start with a basic command that will get us HTTPS traffic:
代码语言:txt复制tcpdump -nnSX port 443Find Traffic by IP
代码语言:txt复制tcpdump host 1.1.1.1Filtering by Source and/or Destination
代码语言:txt复制tcpdump src 1.1.1.1 tcpdump dst 1.0.0.1Finding Packets by Network
代码语言:txt复制tcpdump net 1.2.3.0/24Low Output:
代码语言:txt复制tcpdump -nnvvSMedium Output:
代码语言:txt复制tcpdump -nnvvXSHeavy Output:
代码语言:txt复制tcpdump -nnvvXSs 1514Getting Creative
- Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.
There are three ways to do combination:
AND
代码语言:txt复制and or &&OR
代码语言:txt复制or or ||EXCEPT
代码语言:txt复制not or !Usage Example:
Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22
代码语言:txt复制tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'Advanced
Show me all URG packets:
代码语言:txt复制tcpdump 'tcp[13] & 32 != 0'Show me all ACK packets:
代码语言:txt复制tcpdump 'tcp[13] & 16 != 0'Show me all PSH packets:
代码语言:txt复制tcpdump 'tcp[13] & 8 != 0'Show me all RST packets:
代码语言:txt复制tcpdump 'tcp[13] & 4 != 0'Show me all SYN packets:
代码语言:txt复制tcpdump 'tcp[13] & 2 != 0'Show me all FIN packets:
代码语言:txt复制tcpdump 'tcp[13] & 1 != 0'Show me all SYN-ACK packets:
代码语言:txt复制tcpdump 'tcp[13] = 18'Show all traffic with both SYN and RST flags set: (that should never happen)
代码语言:txt复制tcpdump 'tcp[13] = 6'Show all traffic with the “evil bit” set:
代码语言:txt复制tcpdump 'ip[6] & 128 != 0'Display all IPv6 Traffic:
代码语言:txt复制tcpdump ip6Print Captured Packets in ASCII
代码语言:txt复制tcpdump -A -i eth0Display Captured Packets in HEX and ASCII
代码语言:txt复制tcpdump -XX -i eth0Capture and Save Packets in a File
代码语言:txt复制tcpdump -w 0001.pcap -i eth0Read Captured Packets File
代码语言:txt复制tcpdump -r 0001.pcapCapture IP address Packets
代码语言:txt复制tcpdump -n -i eth0Capture only TCP Packets.
代码语言:txt复制tcpdump -i eth0 tcpCapture Packet from Specific Port
代码语言:txt复制tcpdump -i eth0 port 22Capture Packets from source IP
代码语言:txt复制tcpdump -i eth0 src 192.168.0.2Capture Packets from destination IP
代码语言:txt复制tcpdump -i eth0 dst 50.116.66.139Capture any packed coming from x.x.x.x
代码语言:txt复制tcpdump -n src host x.x.x.xCapture any packet coming from or going to x.x.x.x
代码语言:txt复制tcpdump -n host x.x.x.xCapture any packet going to x.x.x.x
代码语言:txt复制tcpdump -n dst host x.x.x.xCapture any packed coming from x.x.x.x
代码语言:txt复制tcpdump -n src host x.x.x.xCapture any packet going to network x.x.x.0/24
代码语言:txt复制tcpdump -n dst net x.x.x.0/24Capture any packet coming from network x.x.x.0/24
代码语言:txt复制tcpdump -n src net x.x.x.0/24Capture any packet with destination port x
代码语言:txt复制tcpdump -n dst port xCapture any packet coming from port x
代码语言:txt复制tcpdump -n src port xCapture any packets from or to port range x to y
代码语言:txt复制tcpdump -n dst(or src) portrange x-yCapture any tcp or udp port range x to y
代码语言:txt复制tcpdump -n tcp(or udp) dst(or src) portrange x-yCapture any packets with dst ip x.x.x.x and port y
代码语言:txt复制tcpdump -n "dst host x.x.x.x and dst port y"Capture any packets with dst ip x.x.x.x and dst ports x, z
代码语言:txt复制tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"Capture ICMP , ARP
代码语言:txt复制tcpdump -v icmp(or arp)Capture packets on interface eth0 and dump to cap.txt file
代码语言:txt复制tcpdump -i eth0 -w cap.txtGet Packet Contents with Hex Output
代码语言:txt复制tcpdump -c 1 -X icmpShow Traffic Related to a Specific Port
代码语言:txt复制tcpdump port 3389 tcpdump src port 1025Show Traffic of One Protocol
代码语言:txt复制tcpdump icmpFind Traffic by IP
代码语言:txt复制tcpdump host 1.1.1.1Filtering by Source and/or Destination
代码语言:txt复制tcpdump src 1.1.1.1 tcpdump dst 1.0.0.1Finding Packets by Network
代码语言:txt复制tcpdump net 1.2.3.0/24Get Packet Contents with Hex Output
代码语言:txt复制tcpdump -c 1 -X icmpShow Traffic Related to a Specific Port
代码语言:txt复制tcpdump port 3389 tcpdump src port 1025Show Traffic of One Protocol
代码语言:txt复制tcpdump icmpShow only IP6 Traffic
代码语言:txt复制tcpdump ip6Find Traffic Using Port Ranges
代码语言:txt复制tcpdump portrange 21-23Find Traffic Based on Packet Size
代码语言:txt复制 tcpdump less 32 tcpdump greater 64 tcpdump <= 128 tcpdump => 128Reading / Writing Captures to a File (pcap)
代码语言:txt复制tcpdump port 80 -w capture_filetcpdump -r capture_fileIt’s All About the Combinations
Raw Output View
代码语言:txt复制tcpdump -ttnnvvSHere are some examples of combined commands.
From specific IP and destined for a specific Port
代码语言:txt复制tcpdump -nnvvS src 10.5.2.3 and dst port 3389From One Network to Another
代码语言:txt复制tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16Non ICMP Traffic Going to a Specific IP
代码语言:txt复制tcpdump dst 192.168.0.2 and src net and not icmpTraffic From a Host That Isn’t on a Specific Port
代码语言:txt复制tcpdump -vv src mars and not dst port 22Isolate TCP RST flags.
代码语言:txt复制tcpdump 'tcp[13] & 4!=0'tcpdump 'tcp[tcpflags] == tcp-rst'Isolate TCP SYN flags.
代码语言:txt复制tcpdump 'tcp[13] & 2!=0'tcpdump 'tcp[tcpflags] == tcp-syn'Isolate packets that have both the SYN and ACK flags set.
代码语言:txt复制tcpdump 'tcp[13]=18'Isolate TCP URG flags.
代码语言:txt复制tcpdump 'tcp[13] & 32!=0'tcpdump 'tcp[tcpflags] == tcp-urg'Isolate TCP ACK flags.
代码语言:txt复制tcpdump 'tcp[13] & 16!=0'tcpdump 'tcp[tcpflags] == tcp-ack'Isolate TCP PSH flags.
代码语言:txt复制tcpdump 'tcp[13] & 8!=0'tcpdump 'tcp[tcpflags] == tcp-psh'Isolate TCP FIN flags.
代码语言:txt复制tcpdump 'tcp[13] & 1!=0'tcpdump 'tcp[tcpflags] == tcp-fin'Commands that I using almost daily
Both SYN and RST Set
代码语言:txt复制tcpdump 'tcp[13] = 6'Find HTTP User Agents
代码语言:txt复制tcpdump -vvAls0 | grep 'User-Agent:'tcpdump -nn -A -s1500 -l | grep "User-Agent:"By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.
代码语言:txt复制tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'Capture only HTTP GET and POST packets only packets that match GET.
代码语言:txt复制tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'Extract HTTP Request URL's
代码语言:txt复制tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"Extract HTTP Passwords in POST Requests
代码语言:txt复制tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"Capture Cookies from Server and from Client
代码语言:txt复制tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'Capture all ICMP packets
代码语言:txt复制tcpdump -n icmpShow ICMP Packets that are not ECHO/REPLY (standard ping)
代码语言:txt复制tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'Capture SMTP / POP3 Email
代码语言:txt复制tcpdump -nn -l port 25 | grep -i 'MAIL FROM|RCPT TO'Troubleshooting NTP Query and Response
代码语言:txt复制tcpdump dst port 123Capture FTP Credentials and Commands
代码语言:txt复制tcpdump -nn -v port ftp or ftp-dataRotate Capture Files
代码语言:txt复制tcpdump -w /tmp/capture-%H.pcap -G 3600 -C 200Capture IPv6 Traffic
代码语言:txt复制tcpdump -nn ip6 proto 6IPv6 with UDP and reading from a previously saved capture file.
代码语言:txt复制tcpdump -nr ipv6-test.pcap ip6 proto 17Detect Port Scan in Network Traffic
代码语言:txt复制tcpdump -nnUSAGE EXAMPLE
Example Filter Showing Nmap NSE Script Testing
- On Target:
nmap -p 80 --script=http-enum.nse targetip- On Server:
tcpdump -nn port 80 | grep "GET /" GET /w3perl/ HTTP/1.1 GET /w-agora/ HTTP/1.1 GET /way-board/ HTTP/1.1 GET /web800fo/ HTTP/1.1 GET /webaccess/ HTTP/1.1 GET /webadmin/ HTTP/1.1 GET /webAdmin/ HTTP/1.1Capture Start and End Packets of every non-local host
代码语言:txt复制tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'Capture DNS Request and Response
代码语言:txt复制tcpdump -i wlp58s0 -s0 port 53Capture HTTP data packets
代码语言:txt复制tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'Top Hosts by Packets
代码语言:txt复制tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20Capture all the plaintext passwords
代码语言:txt复制tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user 'tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user 'DHCP Example
代码语言:txt复制tcpdump -v -n port 67 or 68Cleartext GET Requests
代码语言:txt复制tcpdump -vvAls0 | grep 'GET'Find HTTP Host Headers
代码语言:txt复制tcpdump -vvAls0 | grep 'Host:'Find HTTP Cookies
代码语言:txt复制tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'Find SSH Connections
代码语言:txt复制tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'Find DNS Traffic
代码语言:txt复制tcpdump -vvAs0 port 53Find FTP Traffic
代码语言:txt复制tcpdump -vvAs0 port ftp or ftp-dataFind NTP Traffic
代码语言:txt复制tcpdump -vvAs0 port 123Capture SMTP / POP3 Email
代码语言:txt复制tcpdump -nn -l port 25 | grep -i 'MAIL FROM|RCPT TO'Line Buffered Mode
代码语言:txt复制tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'Find traffic with evil bit
代码语言:txt复制tcpdump 'ip[6] & 128 != 0'Filter on protocol (ICMP) and protocol-specific fields (ICMP type)
tcpdump -n icmp and 'icmp0 != 8 and icmp0 != 0'
Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):
代码语言:txt复制tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreplyFilter on TOS field
代码语言:txt复制tcpdump -v -n ip and ip[1]!=0Filter on TTL field
代码语言:txt复制tcpdump -v ip and 'ip[8]<2'Filter on TCP flags (SYN/ACK)
代码语言:txt复制tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured
代码语言:txt复制tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'Catch TCP SYN/ACK packets (typically, responses from servers):
代码语言:txt复制tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'Catch ARP packets
代码语言:txt复制tcpdump -vv -e -nn ether proto 0x0806Filter on IP packet length
代码语言:txt复制tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:
代码语言:txt复制tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'Filter on encapsulated content (ICMP within PPPoE)
代码语言:txt复制tcpdump -v -n icmpQueiter
代码语言:txt复制tcpdump -q -i eth0tcpdump -t -i eth0tcpdump -A -n -q -i eth0 'port 80'tcpdump -A -n -q -t -i eth0 'port 80'Print only useful packets from the HTTP traffic
代码语言:txt复制tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'Dump SIP Traffic
代码语言:txt复制tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4Checking packet content
代码语言:txt复制tcpdump -i any -c10 -nn -A port 80Checking packet content
代码语言:txt复制sudo tcpdump -i any -c10 -nn -A port 80
