tcpdump

tcpdump is a common packet sniffer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.^[1]

Project Homepage [EN]
- Repository

tcpdump [EN] @ Fedora Package
tcpdump [EN] @ Homebrew Formula

tcpdump [EN] @ Wikipedia
tcpdump [DE] @ Wikipedia

Documentation

FAQ [EN]

man 1 'tcpdump' [EN]
man 7 'pcap-filter' [EN]

Syntax

tcpdump [PARAMETER ...] [EXPRESSION]

Parameters

-i INTERFACE, --interface=INTERFACE: Listen on INTERFACE. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, eth0.
-n: Don't convert host addresses to names.
-p, --no-promiscuous-mode: Don't put the interface into promiscuous mode.; NOTE:
The interface might be in promiscuous mode for some other reason; hence, -p cannot be used as an abbreviation for ether host MAC_ADDRESS or ether broadcast.

-r FILE: Read packets from FILE (which was created with the -w option). Standard input is used if file is -.
-s LENGTH: Snarf LENGTH bytes of data from each packet rather than the default of 68. 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets.
-w FILE: Write the raw packets to FILE rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is -.

Expressions

host HOST: True if either the IPv4/v6 source or destination of the packet is HOST.
src host HOST: True if the IPv4/v6 source field of the packet is HOST.
dst host HOST: True if the IPv4/v6 destination field of the packet is HOST, which may be either an address or a name.

net NETWORK: True if either the IPv4/v6 source or destination address of the packet has a network number of NETWORK.
net NETWORK mask NETMASK: True if the IPv4 address matches NETWORK with the specific NETMASK. May be qualified with source or destination.; NOTE:
This syntax is not valid for IPv6 net.
net NETWORK/LENGTH: True if the IPv4/v6 address matches NETWORK with a netmask LENGTH bits wide. May be qualified with source or destination.
src net NETWORK: True if the IPv4/v6 source address of the packet has a network number of NETWORK.
dst net NETWORK: True if the IPv4/v6 destination address of the packet has a network number of NETWORK. Net may be either a name from '/etc/networks' or a network number.

port PORT: True if either the source or destination port of the packet is PORT.
src port PORT: True if the packet has a source port value of PORT.
dst port PORT: True if the packet has a destination port value of PORT.

less LENGTH: True if the packet has a length less than or equal to LENGTH.
greater LENGTH: True if the packet has a length greater than or equal to LENGTH.

ether proto PROTOCOL: True if the packet is of ether type PROTOCOL. PROTOCOL can be a number or one of the names ip, ip6, arp, rarp, atalk, aarp, decnet, ipx or netbeui.
ip proto PROTOCOL: True if the packet is an IPv4 packet of protocol type PROTOCOL. PROTOCOL can be a number or one of the names icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp, udp or tcp.

ether broadcast: True if the packet is an Ethernet broadcast packet.
ip broadcast: True if the packet is an IPv4 broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks up the subnet mask on the interface on which the capture is being done.

Examples

Capturing with tcpdump for viewing with Wireshark

tcpdump -s 0 -w 'mycapture.pcap' host '10.0.0.100'

References

↑ https://en.wikipedia.org/wiki/Tcpdump

[1] ttps://en.wikipedia.org/wiki/Tcpdump

[1]