msenturk
6/25/2017 - 10:41 AM

tcpdump cheatsheet

tcpdump cheatsheet

TCPDUMP

OPTIONS

-i any 			: Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 		: Listen on the eth0 interface.
-D				: Show the list of available interfaces
-n				: Don’t resolve hostnames.
-nn				: Don’t resolve hostnames or port names.
-q 				: Be less verbose (more quiet) with your output.
-t 				: Give human-readable timestamp output.
-tttt 			: Give maximally human-readable timestamp output.
-X 				: Show the packet’s contents in both hex and ASCII.
-XX 			: Same as -X, but also shows the ethernet header.
-v, -vv, -vvv 		: Increase the amount of packet information you get back.
-c 				: Only get x number of packets and then stop.
-s 				: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S 				: Print absolute sequence numbers.
-e 				: Get the ethernet header as well.
-q 				: Show less protocol information.
-E 				: Decrypt IPSEC traffic by providing an encryption key.


# Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.

	tcpdump -ttttnnvvS

	tcpdump -ttttnnvvS host 1.2.3.4
	
	tcpdump -nnvXSs 0 -c1 icmp
	
# All traffic from 10.5.2.3 going to any host on port 3389

	tcpdump -nnvvS src 10.5.2.3 and dst port 3389

# This will show us all traffic going to 192.168.0.2 that is not ICMP.

	tcpdump dst 192.168.0.2 and src net and not icmp

# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)

	tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'	
	


# Capture RST Flags Using the tcpflags option…

tcpdump 'tcp[tcpflags] == tcp-rst'
tcpdump 'tcp[tcpflags] == tcp-syn'
tcpdump 'tcp[tcpflags] == tcp-fin'



# PACKETS WITH BOTH THE RST AND SYN FLAGS SET (THIS SHOULD NEVER BE THE CASE)
 tcpdump 'tcp[13] = 6'

# FIND CLEARTEXT HTTP GET REQUEST
 tcpdump 'tcp[32:4] = 0x47455420'



# TCP Flags
Unskilled Attackers Pester Real Security Folks

Unskilled = URG
Attackers = ACK
Pester    = PSH
Real      = RST = Immediate Session Teardowns (drop session)
Security  = SYN = New Connection Request
Folks     = FIN

U 	A 	P 	R 	S 	F
32	16	8	4	2	1

# Find All SYN packets 
 tcpdump 'tcp[13] & 2 != 0'
 
# Find all RST packets
 tcpdump 'tcp[13] & 4 != 0' 

# Find all ACK packets
 tcpdump 'tcp[13] & 16 !=0'