tcpdump

  • Capture traffic on an interface or all 

tcpdump -i eth0
tcpdump -i any

  • Capture and write to a file 

tcpdump -i eth0 -w file_name.pcapng

  • Read packets from a file, do not resolve hosts/ports

tcpdump -r file_name.pcapng -n

  • Read packets from a file, dont resolve, show as ASCII

tcpdump -r file_name.pcapng -n -A

Useful BPF Examples

  • Traffic going to or from a host 

tcpdump -r file_name.pcapng 'host 192.168.1.34'

  • Traffic coming from host

tcpdump -r file_name.pcapng 'src host 192.168.1.34'

  • Traffic where the source is not a specific host 

tcpdump -r file_name.pcapng 'not src host 192.168.1.34'

  • Only ICMP traffic from a sepecifc host 

tcpdump -r file_name.pcapng 'icmp and (src host 19.168.1.34)
PreviousResourcesNextT-Shark User Guide

Last updated