TCP DUMP COMMANDS

[Computer Networks: Dr. Gaurav Varshney]

1. sudo tcpdump -D // list all interfaces

2. tcpdump -i enp0s3 // mention the interface to capture from
3. sudo tcpdump --interface any -c 5 // capturing from all interfaces but only 5 packets
4. sudo tcpdump -i any -c5 -nn // disable name resolution by using the option -n and port resolution with -nn
5. sudo tcpdump -i any -c5 icmp //capture icmp traffic
6. sudo tcpdump -i any -c5 -nn host 54.204.39.132 // tcpdump captures only packets to and from host 54.204.39.132.
7. sudo tcpdump -i any -c5 -nn port 80 // to filter packets based on the desired service or port, use the port filter
8. sudo tcpdump -i any -c5 -nn src 192.168.122.98 // filter packets based on the source IP Address
9. sudo tcpdump -i any -c5 -nn dst 192.168.122.98 / filter packets based on the source IP Address
10. sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80 // to filter packets from source IP address 192.168.122.98 and service HTTP only
11. sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)" // complex expressions by grouping filter with parentheses
12. sudo tcpdump -i any -c10 -nn -A port 80 // Checking packet content, -A to print the content in ASCII
13. sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80 // save packets to a file
14. tcpdump -nn -r webserver.pcap // read the contents of the file
15. tcpdump -nn -r webserver.pcap src 54.204.39.132 // inspect the packets in the capture file from source IP address 54.204.39.132
16. tcpdump src port 25 // Ports filtering using source port
17. tcpdump src net 192.168 // Network filtering using source network
18. tcpdump arp, tcpdump ip, tcpdump tcp, tcpdump udp, tcpdump icmp // protocol filtering
19. Combining multiple expressions:
Negation ! not Concatenate && and Alternate || or
For example:
tcpdump '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'
20. tcpdump '((icmp) and ((ether dst host 00:01:02:03:04:05)))' // This one will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
21. Applying advanced filters:
Checking whether IP options are set: we can do this by checking if the first field in the first byte value of IP header is greater than 69 because 0100- ip version and 0101 - IP header length, when combined
it will be 01000101 and it should not be greater than 69 because if the value is greater than 69 than it means that the IP header is bigger than 5x4 = 20 bytes, which means ip options are present. Therefore
the command will be:
tcpdump 'ip[0] > 69'
But instead the proper/right way : “masking” the first half of the byte, that is we can mask the IP version field of 4 bits and only check the 4 bit header length field which if is greater than 5 it means IP
options are present.
In decimal:
tcpdump 'ip[0] & 15 > 5'
tcpdump 'ip[0] & 0xf > 5'
22. Checking Is DF bit (don’t fragment) set:
The fragment offset field is only used when fragmentation occurs. If we want to match the DF bit (don’t fragment bit, to avoid IP fragmentation): The 7th byte would have a value of 01000000 or 64 in
decimal, therefore:
tcpdump 'ip[6] = 64'
Matching MF (more fragment set)? This would match the fragmented datagrams but wouldn’t match the last fragment (which has the 2nd bit set to 0):
tcpdump 'ip[6] = 32'
23. Matching packets longer than X bytes:
tcpdump 'ip[2:2] > 600' // here X is 600 bytes
TCP Based Filters:
24. Matching any TCP traffic with a source port within 1024:
tcpdump 'tcp[0:2] < 1024' or tcpdump 'tcp src portrange 0-1023'
25. Match packets with only the SYN flag set: tcpdump 'tcp[13] = 2'
Matching SYN and ACK: tcpdump 'tcp[13] = 18' // 14th bytes as 00010010
You can also match TCP flags like this: tcpdump 'tcp[tcpflags] == tcp-ack'
Matching all packages with TCP-SYN or TCP-FIN set:
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'