Tcpdump
Local
Live
Display Available Interfaces
Capture Packets from Specific Interface
Print Captured Packets in ASCII
Display Captured Packets in HEX and ASCII
Capture only TCP Packets.
Capture only UPD Packets.
Capture Packet from Specific Port
Capture Packets from source IP
Capture Packets from destination IP
From File
Reading from file
| Command | Comment |
|---|---|
| tcpdump -r file-name.pcap | -r read packets from file |
| tcpdump -r -n file-name.pcap | -n don't convert addresses to names |
Filters
| Command | Comment |
|---|---|
| tcpdump -n src host 11.22.33.44 -r file-name.pcap | src host 11.22.33.44 filter by source host |
| tcpdump -n dst host 11.22.33.44 -r file-name.pcap | src desc 11.22.33.44 filter by desc host |
| tcpdump -n port 8080 -r file-name.pcap | port 8080 filter by port |
| tcpdump -A -r file-name.pcap | print packet data in ASCII |
Filters - advanced
(https://support.f5.com/csp/article/K2289) TCP flag headers are located in the 14th byte of the header. Because numbering starts at byte 0, the TCP flag header is in byte 13.
Byte 13 can contain up to eight one-bit flags; however, TCP can use only six flags. The other two bits are reserved and should be set to zero.
For TCP headers with a single flag, there is one byte per bit and byte 13 contains the following binary values in decimal:
- Final (FIN) = 1
- Sync (SYN) = 2
- Reset (RST) = 4
- Push (PSH) = 8
- Acknowledgement (ACK) = 16
- Urgent (URG) = 32
- Reserved = 64 and 128 (should be zero)
If multiple flags are set for the TCP header, the value of byte 13 is the binary sum of the values for all the bits that are set. For example:
- FIN, ACK = 17 (1 + 16)
- SYN, ACK = 18 (2 + 16)
- PSH, ACK = 24 (8 + 16)
- FIN, PSH = 9 (1 + 8)
- FIN, PSH, ACK = 25 (1 + 8 + 16)
| Command | Comment |
|---|---|
| tcpdump -n -A -r file-name.pcap 'tcp[13]=24' | PSH, ACK |
| tcpdump -n -A -r file-name.pcap 'tcp[13]=25' | FIN, PSH, ACK |