TCPDump

= Basics =

tcpdump -i eth0
 * TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark.


 * TCPDump uses libpcap which processes packets before they get processed by IPTables.
 * Therefore TCPDump will see Incoming Ping packets though they are dropped by IPTables.
 * TCPDump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it.

= Filters = Source: [thegeekstuff.com]

sudo tcpdump -s 0 -i ens160 host 10.1.1.1 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port 22 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port not 22 and port not 80 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and tcp port not 22 and tcp port not 80 -v -w /tmp/packet_capture.cap
 * General TCPDump command:

= Reading PCAPs =

= TCPDump Parameters =

Capture Filter Primitives
= Command Line Options =

-A 		Print frame payload in ASCII -c 	Exit after capturing count packets -D 		List available interfaces -e 		Print link-level headers -F 	Use file as the filter expression -G  	Rotate the dump file every n seconds -i 	Specifies the capture interface -K 		Don't verify TCP checksums -L 		List data link types for the interface -n 		Don't convert addresses to names -p 		Don't capture in promiscuous mode -q 		Quick output -r 	Read packets from file -s 	Capture up to len bytes per packet -S 		Print absolute TCP sequence numbers -t 		Don't print timestamps -v[v[v]] 	Print more verbose output -w 	Write captured packets to file -x 		Print frame payload in hex -X 		Print frame payload in hex and ASCII -y 	Specify the data link type

= Docker Packet Captures = docker exec -it 428947239426349 tcpdump -N -A 'port 80' -w capture.pcap

= Advanced Packet Filtering =


 * List interesting traffic from all the PCAP files:


 * References