tcpdump

dump traffic on a network

copy
62
5
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

details |

copy
23
0
tcpdump host sundownTo print all packets arriving at or departing from sundown:

details |

copy
16
0
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

details |

copy
16
0
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]\&0xf)<<2)) - ((tcp[12]\&0xf0)>>2)) != 0)'

source | details |

copy
13
3
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

details |

copy
12
0
tcpdump ip and not net localnetTo print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

details |

copy
5
0
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

source | details |

copy
9
0
tcpdump host helios and ( hot or ace )To print traffic between helios and either hot or ace:

details |

copy
8
0
tcpdump ip and not net localnet

source | details |

copy
8
0
tcpdump 'gateway snup and (port ftp or ftp-data)'

source | details |

copy
6
0
tcpdump -i eth1 not port 23Listen on interface eth1 and exclude traffic from port 23

6 years, 4 months ago john 0 | details |

copy
7
1
tcpdump 'gateway snup and ip[2:2] > 576'To print IP packets longer than 576 bytes sent through gateway snup:

details |

copy
7
0
tcpdump net ucb-etherTo print all traffic between local hosts and hosts at Berkeley:

details |

copy
7
0
tcpdump ip host ace and not helios

source | details |

copy
6
0
tcpdump 'gateway snup and (port ftp or ftp-data)'To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

details |

copy
8
2
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

details |

copy
6
0
tcpdump -i eth0 -n -s 16384 port 53 -XXDump all dns records

6 years, 4 months ago MikeJudge 4 | details |

copy
12
1
tcpdump ip host ace and not heliosTo print all IP packets between ace and any host except helios:

details |