TCPDump

= Basics = tcpdump -i eth0
 * TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark.

= Filters = Source: [thegeekstuff.com]

sudo tcpdump -s 0 -i ens160 host 10.1.1.1 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port 22 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port not 22 and port not 80 -v -w /tmp/packet_capture.cap sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and tcp port not 22 and tcp port not 80 -v -w /tmp/packet_capture.cap
 * General TCPDump command:

= Reading PCAPs =

= TCPDump Parameters =

Capture Filter Primitives
= Command Line Options =

-A 		Print frame payload in ASCII -c 	Exit after capturing count packets -D 		List available interfaces -e 		Print link-level headers -F 	Use file as the filter expression -G  	Rotate the dump file every n seconds -i 	Specifies the capture interface -K 		Don't verify TCP checksums -L 		List data link types for the interface -n 		Don't convert addresses to names -p 		Don't capture in promiscuous mode -q 		Quick output -r 	Read packets from file -s 	Capture up to len bytes per packet -S 		Print absolute TCP sequence numbers -t 		Don't print timestamps -v[v[v]] 	Print more verbose output -w 	Write captured packets to file -x 		Print frame payload in hex -X 		Print frame payload in hex and ASCII -y 	Specify the data link type

= Advanced Packet Filtering =

 for i in `find. -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done
 * List interesting traffic from all the PCAP files:


 * References