Skip to content

Instantly share code, notes, and snippets.

@csereno

csereno/tcpdump_commands.md

Last active February 11, 2019 19:09
Show Gist options
  • Save csereno/454da049a43d1dddc68d73a6fcf2c8a3 to your computer and use it in GitHub Desktop.
Save csereno/454da049a43d1dddc68d73a6fcf2c8a3 to your computer and use it in GitHub Desktop.
Download ZIP
TCPDump Commands
Raw
tcpdump_commands.md

Determine interface

tcpdump -D

Capture and Display Top Conversations

tcpdump -i eth1 -tnn -c 20000 | awk -F " " '{print $2" "$3" "$4}' | sort | uniq -c | sort -nr | more

Read a file

tcpdump -qns 0 -A -r file.pcap

Command to allow tcpdump/dumpcap to execute as any user instead of root:

chmod u+s /usr/bin/dumpcap

Restrictive method:

groupadd netcapture
usermod -a -G netcapture _username_ 
chgrp netcapture /usr/sbin/dumpcap
chgrp netcapture /usr/sbin/tshark
chmod 750 /usr/sbin/dumpcap
chmod 750 /usr/sbin/tshark
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tshark
Raw
tcpdump_filters.md

URGENT (URG) packets...

tcpdump 'tcp[13] & 32!=0'

ACKNOWLEDGE (ACK) packets...

tcpdump 'tcp[13] & 16!=0'

PUSH (PSH) packets...

tcpdump 'tcp[13] & 8!=0'

Range of IP Addresses

tcpdump -c 20 -i eth1 -nn -f "net __ipaddress__ and (((ip[15] > 132) and (ip[15] < 135)) or ((ip[19] > 132) and (ip[19] < 135)))"

RESET (RST) packets...

tcpdump 'tcp[13] & 4!=0'

SYNCHRONIZE (SYN) packets...

tcpdump 'tcp[13] & 2!=0'

FINISH (FIN) packets...

tcpdump 'tcp[13] & 1!=0'

SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...

tcpdump 'tcp[13]=18'

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment