Tcpdump cheat sheet: Difference between revisions

Latest revision as of 06:09, 25 August 2022

tcpdump -i eth0 -s 0 -nnn host A.B.C.D

tcpdump -i eth0 -s 0 -w <filename> port not 22

tcpdump -i eth0 -s 0 -w <filename> icmp

tcpdump -i eth0 -s 0 host A.B.C.D and port 1234

tcpdump -i eth0 -s 0 host A.B.C.D and port 1234 -A

tcpdump -i eth0 -s 0 host 1.2.3.4 or host 5.6.7.8 or ...

Read: dump tracefile <filename> once after 600 seconds

tcpdump -i eth0 -s 0 -G 600 -W 1 -w <filename> port 1234

<Ctrl>-C

@@ Line 1: / Line 1: @@
-=== Display packtes from <host> on&nbsp;interface eth0, no name resolution ===
+=== Display packets from A.B.C.D&nbsp;on&nbsp;interface eth0, no name resolution ===
-<pre>tcpdump -i eth0 -s 0 -nnn host <HOST></pre>
+<pre>tcpdump -i eth0 -s 0 -nnn host A.B.C.D</pre>
 &nbsp;
-=== Save packets to tracefile <filename> on&nbsp;interface eth0 with the exclusion of SSH traffic ===
+=== Save packets to tracefile <filename> on&nbsp;interface eth0 with exclusion of ssh ===
 <pre>tcpdump -i eth0 -s 0 -w <filename> port not 22
 </pre>
@@ Line 18: / Line 18: @@
 === Packets from host A.B.C.D on port 1234 ===
-<pre>tcpdump -i eth0 -s 0 host A.B.C.D && port 1234</pre>
+<pre>tcpdump -i eth0 -s 0 host A.B.C.D and port 1234</pre>
 &nbsp;
-=== Packets on port 1234 for 10 minutes (dump tracefile <filename> once after 600 seconds) ===
+=== Packets from host A.B.C.D on port 1234 and ASCII decode on screen ===
-<pre>tcpdump -i eth0 -s 0 -G 600 -W 1 -s 0 -w <filename> port 1234</pre>
+<pre>tcpdump -i eth0 -s 0 host A.B.C.D and port 1234 -A</pre>
+&nbsp;
+=== Packets from multiple host ===
+<pre>tcpdump -i eth0 -s 0 host 1.2.3.4 or host 5.6.7.8 or ...
+</pre>
+&nbsp;
+=== Packets on port 1234 for 10 minutes ===
+Read: dump tracefile <filename> once after 600 seconds
+<pre>tcpdump -i eth0 -s 0 -G 600 -W 1 -w <filename> port 1234</pre>
 &nbsp;