Tcpdump Examples

tcpdump-examples

# Capture events on specific interface and filter them by grepping request
tcpdump -i ens192 -s 0 -A -v -n  | egrep -i -A 5 -B 5 "*request*"

# Capture HTTP GET and POST requests
tcpdump -i ens192 -s 0 -v -n | egrep -i "POST /|GET /|Host:"

# Capture ALL POST requests (using ASCII)
tcpdump -i ens192 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'

# Capture requests to 80 and 443 ports from 10.200.217.3 host
tcpdump -i ens192 -s 0 -A '(tcp dst port 80 or tcp dst port 443) and host 10.200.217.3'

# Write to file and rotate produced dump files every 5 minutes, up to 150 Mb file size and 15 in count
tcpdump -i ens192 -W 15 -G 300 -C 150 -nn tcp -w tcpdump.pcap 

# Capture traffic between two hosts
tcpdump -i ens192 -s 0 -n host 10.200.217.2 and host 10.200.217.1

# Capture traffic from specific ports
tcpdump -i ens192 -s 0 -n portrange 8080-8090

# Capture ALL traffic with exception
tcpdump -i ens192 -s 0 -n not port 22

# Capture ALL traffic in a specific network
tcpdump -i ens192 -s 0 -n net 10.200.217.0/24

# Capture ALL packets with size greater than 128 bytes
tcpdump -i ens192 -s 0 greater 128