tcpdump cheat sheet
tcpdump cheat sheet Motivation
I need tcpdump every now and then, but not often enough to remember all relevant bits.
Sometimes I need it under pressure, i.e. if some VIP customer has a weird server problem, and in those situations I don't want to waste time on extra-long man pages.
Hence theses snippets ...
Syntax highlights
Common tcpdump command line options
Based on manpage of tcpdump(8) from Debian jessie's tcpdump version 4.3.0-1.
Option | Purpose | Example |
|---|---|---|
| set buffer size to buffersize kilobytes |
|
| exit after |
|
| read filter expression from |
|
| Listen on |
|
| write packets to |
|
| after opening input device but before opening output file change user ID to |
|
expression | 'expression' | filter expression, see manpage pcap-filter(7) and next chapter |
|
Output formatting options have been left out on purpose, because wireshark is just too good a dump visualizer.
Common tcpdump filter expressions
Based on manpage of pcap-filter(7) from Debian jessie's libpcap0.8 version 1.3.0-1.
Expression primitive | Purpose | Examples |
|---|---|---|
| Packets to ( |
|
| TCP or UDP packets to ( |
|
| Packets smaller ( |
|
| Packets with IP protocol |
|
| Abbreviations for |
|
| Ethernet (default) or IPv4 broadcast packets |
|
| Ethernet (default) or IPv4 or IPv6 multicast packets |
|
| Packets with IP protocol |
|
| Abbreviations for according primtive |
|
| VLAN packets, optionally with specified |
|
Relation operators
Operators for expr relop expr are: <, >, >=, <=, =, !=.
Also C style operators: +, -, *, /, %, &, |, ^, >>, <<.
Primitive resp subexpression combination
In doubt enclose subexpressions in (, ).
Subexpressions can be preceded with ! or not, and combined with and, &&, or, ||.
Examples
Web connections to a particular server
tcpdump -i eth0 -w webtraffic.pcap 'host www.clazzes.org and port 80'Other hints
Wireshark, and capturing with wireshark as non-root user on Linux hosts
When run on Linux wireshark uses libpcap too, therefore the same filter expression syntax applies.
Running GUIs as root isn't exactly recommended, therefore on most distros members of the group wireshark may capture as non-root user, either through dumpcap or set-uid tricks.
Another approach is to capture packets using tcpdump -w foobar.pcap -Z myuser and to use Wireshark as pcap inspector only.
Virtualization environments
Kernel based virtualizations like chroot, OpenVZ/Virtuozzo, LXC/LXD, Docker, ... may restrict capturing to the host or the guest, depending on the details exact networking configurations (venet vs. veth, bridging variants) and/or present or missing bind mounts and/or cgroup visibility of /dev subnotes and the like.
In doubt if possible test capturing from host and guest.
Switches and bridging
This is obvious, but in the case of newbies beeing pointed here: When trying to capture as a third party (not on either end or a router inbetween), beeing connected to a hub used to help in the old days. In modern times hubs can mostly be found in museums, and switches are supposed not to send "foreign" packets out to cables on switch ports that have no business with each packet.
There are 2 ways around this:
1. confgure the switch to perform port mirroring (I'm talking switch ports, not IP ports).
2. "interrupt" the ethernet connection with a Linux machine set up as software bridge. If successful maybe apply for a job with NSA or your country's sister organization.
Avoiding 'packets dropped by kernel'
Use -B to increase the capture buffer size.
The size specified is in KB, i.e. -B 1024 sets the buffer to 1 MB.