TCP Dump Commands

1. TCP DUMP COMMANDS
2. =================
3.  
4. See the list of interfaces on which tcpdump can listen:
5.  
6. tcpdump -D
7. Listen on interface eth0:
8.  
9. tcpdump -i eth0
10. Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
11.  
12. tcpdump -i any
13. Be verbose while capturing packets:
14.  
15. tcpdump -v
16. Be more verbose while capturing packets:
17.  
18. tcpdump -vv
19. Be very verbose while capturing packets:
20.  
21. tcpdump -vvv
22. Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:
23.  
24. tcpdump -v -X
25. Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:
26.  
27. tcpdump -v -XX
28. Be less verbose (than the default) while capturing packets:
29.  
30. tcpdump -q
31. Limit the capture to 100 packets:
32.  
33. tcpdump -c 100
34. Record the packet capture to a file called capture.cap:
35.  
36. tcpdump -w capture.cap
37. Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
38.  
39. tcpdump -v -w capture.cap
40. Display the packets of a file called capture.cap:
41.  
42. tcpdump -r capture.cap
43. Display the packets using maximum detail of a file called capture.cap:
44.  
45. tcpdump -vvv -r capture.cap
46. Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):
47.  
48. tcpdump -n
49. Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
50.  
51. tcpdump -n dst host 192.168.1.1
52. Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
53.  
54. tcpdump -n src host 192.168.1.1
55. Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
56.  
57. tcpdump -n host 192.168.1.1
58. Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
59.  
60. tcpdump -n dst net 192.168.1.0/24
61. Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
62.  
63. tcpdump -n src net 192.168.1.0/24
64. Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
65.  
66. tcpdump -n net 192.168.1.0/24
67. Capture any packets where the destination port is 23. Display IP addresses and port numbers:
68.  
69. tcpdump -n dst port 23
70. Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
71.  
72. tcpdump -n dst portrange 1-1023
73. Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
74.  
75. tcpdump -n tcp dst portrange 1-1023
76. Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
77.  
78. tcpdump -n udp dst portrange 1-1023
79. Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
80.  
81. tcpdump -n "dst host 192.168.1.1 and dst port 23"
82. Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
83.  
84. tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
85. Capture any ICMP packets:
86.  
87. tcpdump -v icmp
88. Capture any ARP packets:
89.  
90. tcpdump -v arp
91. Capture either ICMP or ARP packets:
92.  
93. tcpdump -v "icmp or arp"
94. Capture any packets that are broadcast or multicast:
95.  
96. tcpdump -n "broadcast or multicast"
97. Capture 500 bytes of data for each packet rather than the default of 68 bytes:
98.  
99. tcpdump -s 500
100. Capture all bytes of data within the packet:
101.  
102. tcpdump -s 0