Tcpdump cheat sheet: Difference between revisions

From wiki.comcert.com
Jump to navigation Jump to search
No edit summary
No edit summary
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:


=== Display packtes from vSCOUT on vSTREAM (monitor interface = eth1): ===
=== Display packets from A.B.C.D on interface eth0, no name resolution ===
<pre>tcpdump -i eth1 -vv host <IP-VSCOUT></pre>
<pre>tcpdump -i eth0 -s 0 -nnn host A.B.C.D</pre>


&nbsp;
&nbsp;


=== Packets to trace file: ===
=== Save packets to tracefile <filename> on&nbsp;interface eth0 with exclusion of ssh ===
<pre>tcpdump -i eth0 -s 0 -w <path> &
<pre>tcpdump -i eth0 -s 0 -w <filename> port not 22
</pre>
</pre>


&nbsp;
&nbsp;


=== To stop: ===
=== Save icmp packets to tracefile <filename> on&nbsp;interface eth0 ===
<pre><Enter></pre>
<pre>tcpdump -i eth0 -s 0 -w <filename> icmp
</pre>
 
&nbsp;
 
=== Packets from host A.B.C.D on port 1234 ===
<pre>tcpdump -i eth0 -s 0 host A.B.C.D and port 1234</pre>
 
&nbsp;
 
=== Packets from host A.B.C.D on port 1234 and ASCII decode on screen ===
<pre>tcpdump -i eth0 -s 0 host A.B.C.D and port 1234 -A</pre>
 
&nbsp;
 
=== Packets from multiple host ===
<pre>tcpdump -i eth0 -s 0 host 1.2.3.4 or host 5.6.7.8 or ...
</pre>
 
&nbsp;
 
=== Packets on port 1234 for 10 minutes ===
 
Read: dump tracefile <filename> once after 600 seconds
<pre>tcpdump -i eth0 -s 0 -G 600 -W 1 -w <filename> port 1234</pre>
 
&nbsp;
 
=== Stop ===
<pre><Ctrl>-C</pre>

Latest revision as of 06:09, 25 August 2022

Display packets from A.B.C.D on interface eth0, no name resolution

tcpdump -i eth0 -s 0 -nnn host A.B.C.D

 

Save packets to tracefile <filename> on interface eth0 with exclusion of ssh

tcpdump -i eth0 -s 0 -w <filename> port not 22

 

Save icmp packets to tracefile <filename> on interface eth0

tcpdump -i eth0 -s 0 -w <filename> icmp

 

Packets from host A.B.C.D on port 1234

tcpdump -i eth0 -s 0 host A.B.C.D and port 1234

 

Packets from host A.B.C.D on port 1234 and ASCII decode on screen

tcpdump -i eth0 -s 0 host A.B.C.D and port 1234 -A

 

Packets from multiple host

tcpdump -i eth0 -s 0 host 1.2.3.4 or host 5.6.7.8 or ...

 

Packets on port 1234 for 10 minutes

Read: dump tracefile <filename> once after 600 seconds

tcpdump -i eth0 -s 0 -G 600 -W 1 -w <filename> port 1234

 

Stop

<Ctrl>-C