Dump traffic on a network with tcpdump

tcpdump is a command line packet analyzer.

Configuration

Main options

Operators

root@host:~# tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
root@host:~# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
root@host:~# tcpdump -vv src mars and not dst port 22
root@host:~# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

Examples

Main examples

root@host:~# tcpdump host 1.2.3.4
root@host:~# tcpdump src 1.2.3.4
root@host:~# tcpdump icmp
root@host:~# tcpdump port 443
root@host:~# tcpdump portrange 443-445
root@host:~# tcpdump src port 443
root@host:~# tcpdump src port 443 and tcp
root@host:~# tcpdump -i eth0 -A -n -vv ether host 0f:08:6d:6f:bb:0d
root@host:~# tcpdump -i eth0 -A -n -vv ether broadcast
root@host:~# tcpdump -i eno2.113 -A -vvv -n -c 50 'icmp and host 192.168.1.254'

Pcap File

root@host:~# tcpdump -i eth1 -w %F_%H%M -G 3600
root@host:~# apt-get install tshark
root@host:~# editcap -F libpcap -A "2015-06-02 17:10:00" -B "2015-06-02 17:20" 2015-06-02_1631 2015-06-02_1710_1720.NEW

IPsec traffic

If you tcpdump from the machine which established the ipsec tunnel you won't be able to see decapsulated traffic. You will only see ESP packets. To be able to get decapsulated traffic we will have to use netfilter/iptables with nflog.

root@host:~# iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
root@host:~# iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
root@host:~# tcpdump -s 0 -n -i nflog:5

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :