tcpdump cheat sheet

tcpdump cheat sheet Motivation

I need tcpdump every now and then, but not often enough to remember all relevant bits.
Sometimes I need it under pressure, i.e. if some VIP customer has a weird server problem, and in those situations I don't want to waste time on extra-long man pages.
Hence theses snippets ...

Syntax highlights

Common tcpdump command line options

Based on manpage of tcpdump(8) from Debian jessie's tcpdump version 4.3.0-1.

-B buffersizeset buffer size to buffersize kilobytes-b 4096
-c countexit after count packets-c 100
-F fileread filter expression from file-F mycomplexfilter1.txt
-i interfaceListen on interface-i eth1
-w filewrite packets to file rather than decoding them to stdout-w mydump1.pcap
-Z userafter opening input device but before opening output file change user ID to user
useful to avoid chown-calls after each tcpdump run
-Z jdoe
expression | 'expression'filter expression, see manpage pcap-filter(7) and next chapter 

Output formatting options have been left out on purpose, because wireshark is just too good a dump visualizer.

Common tcpdump filter expressions

Based on manpage of pcap-filter(7) from Debian jessie's libpcap0.8 version 1.3.0-1.

Expression primitivePurposeExamples
[dst|src] [ip|ip6|arp|rarp] host host

Packets to (dst) or from (src) host 


[tcp|udp] [dst|src] port portTCP or UDP packets to (dst) or from (src) port port port 80
less|greater lengthPackets smaller (less) resp. larger (greater) than or exactly length bytesless 200
[ip|ip6] proto protocolPackets with IP protocol protocol. Known protocols are: tcp, udp, icmp, icmp6, igmp, igrp, pim, ah, esp, vrrpip6 proto icmp6
tcp|udp|icmpAbbreviations for proto tcp, proto udp, proto icmp 
[ether]|ip broadcastEthernet (default) or IPv4 broadcast packets 
[ether]|ip|ip6 multicastEthernet (default) or IPv4 or IPv6 multicast packets 
ether proto protocolPackets with IP protocol protocol. Among known protocols are: ip, ip6, arp, rarp 
ip|ip6|arp|rarp|...Abbreviations for according primtive ether protocol 
vlan [vlanid]VLAN packets, optionally with specified vlanid.vlan 3

Relation operators

Operators for expr relop expr are: <, >, >=, <=, =, !=.

Also C style operators: +, -, *, /, %, &, |, ^, >>, <<.

Primitive resp subexpression combination

In doubt enclose subexpressions in (, ).

Subexpressions can be preceded with ! or not, and combined with and, &&, or, ||.


Web connections to a particular server 

tcpdump -i eth0 -w webtraffic.pcap 'host and port 80'

Other hints

Wireshark, and capturing with wireshark as non-root user on Linux hosts

When run on Linux wireshark uses libpcap too, therefore the same filter expression syntax applies.

Running GUIs as root isn't exactly recommended, therefore on most distros members of the group wireshark may capture as non-root user, either through dumpcap or set-uid tricks.

Another approach is to capture packets using tcpdump -w foobar.pcap -Z myuser and to use Wireshark as pcap inspector only.

Virtualization environments

Kernel based virtualizations like chroot, OpenVZ/Virtuozzo, LXC/LXD, Docker, ... may restrict capturing to the host or the guest, depending on the details exact networking configurations (venet vs. veth, bridging variants) and/or present or missing bind mounts and/or cgroup visibility of /dev subnotes and the like.

In doubt if possible test capturing from host and guest.

Switches and bridging

This is obvious, but in the case of newbies beeing pointed here: When trying to capture as a third party (not on either end or a router inbetween), beeing connected to a hub used to help in the old days. In modern times hubs can mostly be found in museums, and switches are supposed not to send "foreign" packets out to cables on switch ports that have no business with each packet.

There are 2 ways around this:

1. confgure the switch to perform port mirroring (I'm talking switch ports, not IP ports).

2. "interrupt" the ethernet connection with a Linux machine set up as software bridge. If successful maybe apply for a job with NSA or your country's sister organization.

Avoiding 'packets dropped by kernel'

Use -B to increase the capture buffer size.

The size specified is in KB, i.e. -B 1024 sets the buffer to 1 MB.