TcpDump Examples – Anihc Mobile

List of interfaces on which tcpdump can listen: tcpdump -D

Capture any packets where the destination port is is between 1 and 1023 inclusive.

Display IP addresses and port numbers: tcpdump -n dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers: tcpdump -n “dst host 192.168.1.1 and (dst port 80 or dst port 443)”

If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.

tcpdump less 32
tcpdump greater 64
tcpdump <= 128

To print all packets arriving at or departing from sundown:

tcpdump host sundown

To print traffic between helios and either hot or ace:

tcpdump host helios and \( hot or ace \)

To print all IP packets between ace and any host except helios:

tcpdump ip host ace and not helios

To print all traffic between local hosts and hosts at Berkeley:

tcpdump net ucb-ether

To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

tcpdump 'gateway snup and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To print IP packets longer than 576 bytes sent through gateway snup:

tcpdump 'gateway snup and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Here are some examples of combined commands.
From specific IP and destined for a specific Port

Let’s find all traffic from 10.5.2.3 going to any host on port 3389.

tcpdump -nnvvS src 10.5.2.3 and dst port 3389
From One Network to Another

Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
Non ICMP Traffic Going to a Specific IP

This will show us all traffic going to 192.168.0.2 that is not ICMP.

tcpdump dst 192.168.0.2 and src net and not icmp
Traffic From a Host That Isn’t on a Specific Port

This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).

tcpdump -vv src mars and not dst port 22

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.

Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters—in this case below the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc.

tcpdump ‘src 10.0.2.4 and (dst port 3389 or 22)’

Isolate TCP Flags

You can also use filters to isolate packets with specific TCP flags set.
Isolate TCP RST flags.

The filters below find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.

tcpdump ‘tcp[13] & 4!=0’
tcpdump ‘tcp[tcpflags] == tcp-rst’
Isolate TCP SYN flags.

tcpdump ‘tcp[13] & 2!=0’
tcpdump ‘tcp[tcpflags] == tcp-syn’
Isolate packets that have both the SYN and ACK flags set.

tcpdump ‘tcp[13]=18’

Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field.
Isolate TCP URG flags.

tcpdump ‘tcp[13] & 32!=0’
tcpdump ‘tcp[tcpflags] == tcp-urg’
Isolate TCP ACK flags.

tcpdump ‘tcp[13] & 16!=0’
tcpdump ‘tcp[tcpflags] == tcp-ack’
Isolate TCP PSH flags.

tcpdump ‘tcp[13] & 8!=0’
tcpdump ‘tcp[tcpflags] == tcp-psh’
Isolate TCP FIN flags.

tcpdump ‘tcp[13] & 1!=0’
tcpdump ‘tcp[tcpflags] == tcp-fin’
Everyday Recipe Examples

Because tcpdump can output content in ASCII, you can use it to search for cleartext content using other command-line tools like grep.

Finally, now that we the theory out of the way, here are a number of quick recipes you can use for catching various kinds of traffic.
Both SYN and RST Set

tcpdump ‘tcp[13] = 6’
Find HTTP User Agents

The -l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like grep.

tcpdump -vvAls0 | grep ‘User-Agent:’
Cleartext GET Requests

tcpdump -vvAls0 | grep ‘GET’
Find HTTP Host Headers

tcpdump -vvAls0 | grep ‘Host:’
Find HTTP Cookies

tcpdump -vvAls0 | grep ‘Set-Cookie|Host:|Cookie:’
Find SSH Connections

This one works regardless of what port the connection comes in on, because it’s getting the banner response.

tcpdump ‘tcp[(tcp[12]>>2):4] = 0x5353482D’
Find DNS Traffic

tcpdump -vvAs0 port 53
Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data
Find NTP Traffic

tcpdump -vvAs0 port 123
Find Cleartext Passwords

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

tcpdump ‘ip[6] & 128 != 0’

Link hackertarget.com/tcpdump-examples/