General Format & Common Options
[sudo] tcpdump [-r FILE] [-i INTERFACE] [-ASXn] [QUERY...]where:
-Ameans show only ASCII traffic contents-Xmeans show all packet contents (hexdump)-Smeans show absolute TCP sequence numbers-nmeans no DNS lookups
Query
Network
net 1.2.3.0/24Source/Destination IP
src 1.2.3.4
dst 5.6.7.8Host
host example.com
host 1.2.3.4
src host example.com
dst host example.com
Port
port 22
port ssh
port ftp or ftp-dataGateway
gateway abcOperators
src 1.2.3.4 and dst 2.3.4.5 and port 12
src 1.2.3.4 and port not 12Header Filtering: TCP Flags (Byte value)
tcp[13] = 24
tcp[13] is where the flag bits are (14th byte). 24 means that the ACK and PSH bits are set. All packets after the handshake will have ACK to acknowledge transmission of the previous packet. Packets that transmit application data will likely have the PSH bit set to prevent buffering.
Header Filter: TCP Flags (Bitwise)
All ACK-PSH packets:
tcp[tcpflags] & (tcp-ack|tcp-push) != (tcp-ack|tcp-push)All SYN or ACK packets:
tcp[tcpflags] & (tcp-syn|tcp-ack) != 0Oneliners
Top IPs
tcpdump -n -r capture.pcap | awk -F" " '{print $5}' | sort | uniq -c | headFilter Data Packets
tcpdump -A -n 'tcp[13] = 24' -r capture.pcap