top of page
With the ability of a Nexus         switch to run bash.......

Capture Packets from Specific Interface
tcpdump -i eth0

Capture Only N Number of Packets
tcpdump -c 50 -i eth0

Print Captured Packets in ASCII
tcpdump -A -i eth0

Display Available Interfaces
tcpdump -D

Display Captured packets from a specific host
tcpdump host 1.2.3.4

Display Captured packets from a specific network
tcpdump net 1.2.3.0/24

Display Captured Packets in HEX and ASCII
tcpdump -xx -i eth0

Capture and Save Packets in a File
tcpdump -w 0001.pcap -i eth0

Read Captured Packets File
tcpdump -r 0001.pcap

Capture IP address Packets
tcpdump -n -i eth0

Capture only TCP or UDP Packets
tcpdump -i eth0 tcp
tcpdump -i eth0 udp

Capture Packet from Specific Port
tcpdump -i eth0 port 443
tcpdump -i eth0 src port 443
tcpdump -i eth0 dst port 443
tcpdump -i eth0 portrange 21-23

Capture Packets of a particular size
tcpdump -i eth0 less 32
tcpdump -i eth0 greater 64
tcpdump -i eth0 <= 128

Capture Packet from Specific protocol
tcpdump icmp

Capture Packets from source or destination IP
tcpdump -i eth0 src 10.10.10.10
tcpdump -i eth0 dst 203.45.56.65

Raw output view - no name or port res, has sequence numbers and timestamps.
tcpdump -ttttnnvvS

Combinations
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
tcpdump dst 192.168.0.2 and src net and not icmp
tcpdump -vv src mars and not dst port 22
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

TCP Flags

Isolate TCP RST flags
tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags
tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set.
tcpdump 'tcp[13]=18'

Isolate TCP URG flags.
tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.
tcpdump 'tcp[13] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.
tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags.
tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'

Isolate SYN and RST set
tcpdump 'tcp[13] = 6'

Find SSH Traffic
tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic
tcpdump -vvAs0 port 53

Find FTP Traffic
tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic
tcpdump -vvAs0 port 123












 

bottom of page