General Format & Common Options

[sudo] tcpdump [-r FILE] [-i INTERFACE] [-ASXn] [QUERY...]

where:

  • -A means show only ASCII traffic contents
  • -X means show all packet contents (hexdump)
  • -S means show absolute TCP sequence numbers
  • -n means no DNS lookups

Query

Network

net 1.2.3.0/24

Source/Destination IP

src 1.2.3.4
dst 5.6.7.8

Host

host example.com
host 1.2.3.4
src host example.com
dst host example.com

Port

port 22
port ssh
port ftp or ftp-data

Gateway

gateway abc

Operators

src 1.2.3.4 and dst 2.3.4.5 and port 12
src 1.2.3.4 and port not 12

Header Filtering: TCP Flags (Byte value)

tcp[13] = 24

tcp[13] is where the flag bits are (14th byte). 24 means that the ACK and PSH bits are set. All packets after the handshake will have ACK to acknowledge transmission of the previous packet. Packets that transmit application data will likely have the PSH bit set to prevent buffering.

Header Filter: TCP Flags (Bitwise)

All ACK-PSH packets:

tcp[tcpflags] & (tcp-ack|tcp-push) != (tcp-ack|tcp-push)

All SYN or ACK packets:

tcp[tcpflags] & (tcp-syn|tcp-ack) != 0

Oneliners

Top IPs

tcpdump -n -r capture.pcap | awk -F" " '{print $5}' | sort | uniq -c | head

Filter Data Packets

tcpdump -A -n 'tcp[13] = 24' -r capture.pcap