tcpdump cheat sheet
- Christoph Lechleitner
tcpdump cheat sheet Motivation
I need tcpdump every now and then, but not often enough to remember all relevant bits.
Sometimes I need it under pressure, i.e. if some VIP customer has a weird server problem, and in those situations I don't want to waste time on extra-long man pages.
Hence theses snippets ...
Syntax highlights
Common tcpdump command line options
Based on manpage of tcpdump(8) from Debian jessie's tcpdump version 4.3.0-1.
| Option | Purpose | Example |
|---|---|---|
-B buffersize | set buffer size to buffersize kilobytes | -b 4096 |
-c count | exit after count packets | -c 100 |
-F file | read filter expression from file | -F mycomplexfilter1.txt |
-i interface | Listen on interface | -i eth1 |
-w file | write packets to file rather than decoding them to stdout | -w mydump1.pcap |
-Z user | after opening input device but before opening output file change user ID to useruseful to avoid chown-calls after each tcpdump run | -Z jdoe |
| expression | 'expression' | filter expression, see manpage pcap-filter(7) and next chapter | Â |
Output formatting options have been left out on purpose, because wireshark is just too good a dump visualizer.
Common tcpdump filter expressions
Based on manpage of pcap-filter(7) from Debian jessie's libpcap0.8 version 1.3.0-1.
| Expression primitive | Purpose | Examples |
|---|---|---|
[dst|src] [ip|ip6|arp|rarp] host host | Packets to ( |
|
[tcp|udp] [dst|src] port port | TCP or UDP packets to (dst) or from (src) port port | port 80 |
less|greater length | Packets smaller (less) resp. larger (greater) than or exactly length bytes | less 200 |
[ip|ip6] proto protocol | Packets with IP protocol protocol. Known protocols are: tcp, udp, icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp | ip6 proto icmp6 |
tcp|udp|icmp | Abbreviations for proto tcp, proto udp, proto icmp | Â |
[ether]|ip broadcast | Ethernet (default) or IPv4 broadcast packets | Â |
[ether]|ip|ip6 multicast | Ethernet (default) or IPv4 or IPv6 multicast packets | Â |
ether proto protocol | Packets with IP protocol protocol. Among known protocols are: ip, ip6, arp, rarp | Â |
ip|ip6|arp|rarp|... | Abbreviations for according primtive ether protocol | Â |
vlan [vlanid] | VLAN packets, optionally with specified vlanid. | vlan 3 |
Relation operators
Operators for expr relop expr are: <, >, >=, <=, =, !=.
Also C style operators: +, -, *, /, %, &, |, ^, >>, <<.
Primitive resp subexpression combination
In doubt enclose subexpressions in (, ).
Subexpressions can be preceded with ! or not, and combined with and, &&, or, ||.
Examples
Web connections to a particular serverÂ
tcpdump -i eth0 -w webtraffic.pcap 'host www.clazzes.org and port 80'
Other hints
Wireshark, and capturing with wireshark as non-root user on Linux hosts
When run on Linux wireshark uses libpcap too, therefore the same filter expression syntax applies.
Running GUIs as root isn't exactly recommended, therefore on most distros members of the group wireshark may capture as non-root user, either through dumpcap or set-uid tricks.
Another approach is to capture packets using tcpdump -w foobar.pcap -Z myuser and to use Wireshark as pcap inspector only.
Virtualization environments
Kernel based virtualizations like chroot, OpenVZ/Virtuozzo, LXC/LXD, Docker, ... may restrict capturing to the host or the guest, depending on the details exact networking configurations (venet vs. veth, bridging variants) and/or present or missing bind mounts and/or cgroup visibility of /dev subnotes and the like.
In doubt if possible test capturing from host and guest.
Switches and bridging
This is obvious, but in the case of newbies beeing pointed here: When trying to capture as a third party (not on either end or a router inbetween), beeing connected to a hub used to help in the old days. In modern times hubs can mostly be found in museums, and switches are supposed not to send "foreign" packets out to cables on switch ports that have no business with each packet.
There are 2 ways around this:
1. confgure the switch to perform port mirroring (I'm talking switch ports, not IP ports).
2. "interrupt" the ethernet connection with a Linux machine set up as software bridge. If successful maybe apply for a job with NSA or your country's sister organization.
Avoiding 'packets dropped by kernel'
Use -B to increase the capture buffer size.
The size specified is in KB, i.e. -B 1024 sets the buffer to 1 MB.
Â