tcpdump examples ================ Public domain ******************************************************************************** # tcpdump -i eth1 -nq -i : Listen on interface. -n : Don't convert host addresses to names. -q : Quick (quiet?) output. # tcpdump -i eth1 -nq -xX -c 6 -e -x : Print each packet (minus its link level header) in hex. -X : When printing hex, print ascii too. -c : Exit after receiving count packets. -e : Print the link-level header on each dump line # tcpdump -i eth1 -nq -xX -c 6 -w test -w : Write the raw packets to file. # tcpdump -i eth1 -nq -xX -c 6 -r test -r : Read packets from file. # tcpdump -i eth0 -nq net 172.16.10 # tcpdump -i eth0 -nq net 172.16.10 and port 80 # tcpdump -i eth0 -nq net 172.16.10 and not port 22 # tcpdump -i eth0 -nq src net 172.16.10 and not port 22 # tcpdump -i eth0 -nq dst 172.16.10.248 and not port 22 and udp # tcpdump -i ppp0 -nq -G 3600 -w dump--%F--%H-%M-%S.dump "not src or dst 8.8.8.8 and not src or dst 4.2.2.4" -G : rotate seconds # tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and less 512 less : True if the packet has a length less than or equal to length # tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and greater 32 greater : True if the packet has a length greater than or equal to length. # tcpdump -i eth0 -nq ether broadcast broadcast : True if the packet is an ethernet broadcast packet. # tcpdump -i eth1 -enq ether host "00:15:6d:b6:05:73" Show specific source or destination mac address # tcpdump -i ppp0 -nq icmp[icmptype] = icmp-echoreply or icmp[icmptype] = icmp-echo # man pcap-filter packet filter syntax manual ******************************************************************************** ### Read complete packet tcpdump -enn -vvv -XX -Ss0 -tttt -i eth0 host 192.168.1.10 ******************************************************************************** _BY: Pejman Moghadam_ _TAG: tcpdump_ _DATE: 2011-03-29 13:17:29_