Skip to main content

tcpdump

PLEASE NOTE: I am in the process of making my notes public. This docs section is still work in progress. It currently is a summary of random tips for various things.
Found a mistake? Want to add something? Feel free to open an issue, send a pull request or an e-mail.

Source - Contributions are welcome!

General info:
Homepage
Wikipedia
Manual
Usefull links:
Blog posts

Basics

Show interfaces tcpdump use:
sudo tcpdump -D
Prevent host and port resolution:
-nn
Write results to file:
-w nameforresults.cap
Read saved capture file:
-r nameforresults.cap # filters can be added

Logical Operators

AND:
and or &&
OR:
or or ||
EXCEPT:
not or !

Filter

Filter hosts:
host 192.168.178.1
src 10.0.0.1
dst 10.0.0.1
net 10.0.0.0/24
Filter port:
port 53
src port 53
portrange 22-23

ICMP

Capture pings:
sudo tcpdump -i eth0 icmp

DNS

Capture DNS:
sudo tcpdump -i eth0 udp port 53
Output:
21:20:47.062907 IP mydevice.53242 > pi.hole.domain: 41452+ A? ittavern.com. (30)
21:20:47.357179 IP pi.hole.domain > mydevice.53242: 41452 1/0/0 A 95.216.194.187 (46)

use -w to write output to a file, e.x. tcpdump -i eth0 udp port 53 -w dns.cap

E-Mail hellofoo@ittafoovern.comcom

TODO:
placeholder