tcpdump cheatsheet
TCPDUMP
OPTIONS
-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 : Listen on the eth0 interface.
-D : Show the list of available interfaces
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
# Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
tcpdump -ttttnnvvS
tcpdump -ttttnnvvS host 1.2.3.4
tcpdump -nnvXSs 0 -c1 icmp
# All traffic from 10.5.2.3 going to any host on port 3389
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
# This will show us all traffic going to 192.168.0.2 that is not ICMP.
tcpdump dst 192.168.0.2 and src net and not icmp
# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
# Capture RST Flags Using the tcpflags option…
tcpdump 'tcp[tcpflags] == tcp-rst'
tcpdump 'tcp[tcpflags] == tcp-syn'
tcpdump 'tcp[tcpflags] == tcp-fin'
# PACKETS WITH BOTH THE RST AND SYN FLAGS SET (THIS SHOULD NEVER BE THE CASE)
tcpdump 'tcp[13] = 6'
# FIND CLEARTEXT HTTP GET REQUEST
tcpdump 'tcp[32:4] = 0x47455420'
# TCP Flags
Unskilled Attackers Pester Real Security Folks
Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST = Immediate Session Teardowns (drop session)
Security = SYN = New Connection Request
Folks = FIN
U A P R S F
32 16 8 4 2 1
# Find All SYN packets
tcpdump 'tcp[13] & 2 != 0'
# Find all RST packets
tcpdump 'tcp[13] & 4 != 0'
# Find all ACK packets
tcpdump 'tcp[13] & 16 !=0'