TCPDUMP Basics | TCPDUMP IP Header
I have two Raspberry PI computers in my lab. They are perfect learning tools (hats off to the creators).
TYPICAL SYNTAX
A typical packet capture might look like this:
pi@lucy: $ sudo tcpdump -i eth0 -s 1600 -nn -vvv src host 192.168.0.254 and dst port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1600 bytes
What on earth do those flag stand for?
-i eth0 capture packets on eth0 interface
-s 1600 capture only 1600 bytes rather than max. allowed (varies by version)
-nn don't resolve ip address or port numbers to names
-v slightly more verbose output
-vv even more verbose output
-vvv even more verbose output (useful with -x or -X option)
src host coming from IP address
and logical and (both statement must be true to capture packets)
dst port dst port 22 (ssh)
NETWORK FILTERING
tcpdump net 192.168.0
tcpdump src net 192.168.0
tcpdump dst net 192.168.0
etc.
PROTOCOL FILTERING
tcpdump ip
tcpdump tcp
tcpdump icmp
etc.
Combining expressions may may involve keywords such as:
! negation
not negation
& concatenation
and concatenation
|| alternative (or)
or alternative
Example:
pi@lucy: $ sudo tcpdump -i eth0 -s 1600 -nn -vvv -c3 'tcp and src host 192.168.0.254'
I've thrown in -c3 (for capturing only 3 packets) and the combined expression in quotes (' ').
Another example:
pi@lucy: $ sudo tcpdump -i eth0 -s 1600 -nn -vvv -c3 'not tcp and src host 192.168.0.254'
