TCPDump Quick Reference

Intro

TCPDump is a tool for sniffing packets on a network. This is not a comprehensive tutorial, only a quick reference source. Consult the man pages and/or documentation for indepth explanation of commands.

Capturing Traffic

All Traffic for an interface

-i <interface-name> specifies an interface.

cmd

sudo tcpdump -i eth1

Source Address

cmd

sudo tcpdump -i eth1 src 172.16.20.220

Destination Address

cmd

sudo tcpdump -i eth1 dst 8.8.8.8

ARP

cmd

sudo tcpdump -i eth1 arp

ICMP

cmd

sudo tcpdump -i eth1 icmp and dst 9.9.9.9

DHCP

cmd

sudo tcpdump -i eth1 port 67 or port 68

DNS

Capture TCP and UDP

cmd

sudo tcpdump -i eth1 port 53

Capture UDP only

cmd

sudo tcpdump -i eth1 udp port 53

SNMP

cmd

sudo tcpdump -i eth1 port 161 or port 162

Ethernet

Host address

cmd

sudo tcpdump ether host aa:bb:cc:11:22:33

File Output

PCAP File

-w <path-to-file>.pcap specifies pcap file location.

cmd

sudo tcpdump -i eth1 -w /tmp/capture.pcap

Limit Capture

Capture number of packets

cmd

sudo tcpdump -i eth1 icmp -c 4

Capture to size of file

cmd

sudo tcpdump -i eth1 icmp -C 10 -w /tmp/capture.pcap

Links

http://www.tcpdump.org/

On This Page