tcpdump how to

gistfile1.txt

# find the IP addresses of many hosts on the network
# step 1. obtain the broadcast address from ifconfig
# step 2. ping the broadcast address
$ ifconfig -a | grep broadcast
    inet 192.168.1.102 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.68.1 netmask 0xffffff00 broadcast 192.168.68.255
    inet 192.168.174.1 netmask 0xffffff00 broadcast 192.168.174.255
$ ping 192.168.1.255
    PING 192.168.1.255 (192.168.1.255): 56 data bytes
    64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.634 ms
    64 bytes from 192.168.1.100: icmp_seq=0 ttl=64 time=102.151 ms (DUP!)

# capture the first and last packet of a connection
sudo tcpdump -nnvvXSs 0 'tcp and dst host www.yahoo.com and dst port 80 and tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'

# http://naleid.com/blog/2008/04/03/monitoring-http-traffic-to-debug-your-grails-application/

# capture all incoming http traffic on port 80 without displaying packet headers
sudo tcpdump -s 0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

# capture all outgoing http traffic on port 80 without displaying packet headers
sudo tcpdump -s 0 -A 'tcp and dst host www.yahoo.com and dst port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

# capture all outgoing udp packets
sudo tcpdump -s 0 -A 'udp and dst fed1018.yss.ne1.yahoo.com and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

# capture outgoing udp packets to a particular host
sudo tcpdump -s 0 -A 'udp and dst 10.7.202.190'

# capture incoming udp packets to this host
sudo tcpdump -s 0 -A 'udp and port 8125'

# capture outgoing icmp packets
tcpdump -nnvXSs 0 -c2 icmp

# use tcpdump on the network interface of the hypervisor to print packet headers tagged with vlan
sudo tcpdump -nei eth1 vlan

# use tcpdump on the virtual interface on the hypervisor created for vm to print packet headers forwarded to this interface
sudo tcpdump -nei vnet0