On This Page
TcpDump Cheatsheet
Here is the list of most popular tcpdump that Dhound team use for production network troubleshooting or capture security events.
Tcpdump is a command line network packet sniffer for Linux-based systems. Tcpdump can be installed by default in some Linux distributions (just type in command line tcpdump), overwise, install it by the command.
apt-get install tcpdumpPS. Wireshark is one of the best network sniffers for Windows-based systems.
PPS. IP addresses specified in commands are just examples
track all UDP traffic initiated by host (useful to track DNS amplification attack)tcpdump -i any 'udp && src host 172.31.7.188' -vvnnS
track DNS traffic that comes on the hosttcpdump -i any '(udp && port 53 && dst host 172.31.7.188)' -vvnnS
track TCP SYN packages from host: host tries to make to initiate TCP connection with an external sourcetcpdump -i any '((tcp[tcpflags] == tcp-syn) && src 172.31.7.188)' -vvnnS
track TCP SYN-ACK packages to host: external resources sent acknowledge about opening TCP connectiontcpdump -i any '(tcp[13] = 18 and dst host 172.31.7.188)' -vvnnS
track traffic into Redis and write all packets into pcap file (pcap file can be opened in Wireshark then for analysis)tcpdump -i any 'dst port 6379' -vvnnS -w redis.pcap
track all UDP output traffic except DNStcpdump -i any '(udp and not dst port 53 and src host 172.31.7.188)' -vvnnS
track all traffic with particular host with writing it into pcap file (pcap file can be opened in Wireshark then for analysis)tcpdump -i any 'host 172.31.7.188' -vvnnS -w host-172-31-71-88.pcap
track all traffic on host except SSH, HTTPS, DNS, RabbitMQ, arp traffictcpdump -i eth0 'not (port 22 or 443 or 53 or 5672) and not arp' -nnvvS
Usefull tcpdump parameters:
- D – show all interfaces
- i - interface
- nn – without resolving hostname and ports
- vv - verbose output
- S - get entire package
See Also
Published on Feb 11, 2019