====== tcpdump ======
==== Filtering ====
tcpdump uses packet filter syntax for filtering. For help see
man 7 pcap-filter
==== Port include ====
tcpdump -n -tttt -i rl0 dst port 221027
==== Host include ====
tcpdump -n -tttt -i rl0 host 192.168.10.2
==== SSH exclude ====
tcpdump -n -i rl0 'not port 22'
==== Dump full Packages for Wireshark ====
tcpdump -s 65535 -w /tmp/test.pcap
==== Filter IPv6 Network ====
tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'
==== Show IPsec packets ====
tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'
==== Dump for Wireshark with rotation ====
tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
* -i lo
* Listen on loopback interface.
* -G $((10*60))
* Rotate logs every 10 minutes.
* -s 65535
* Capture full package.
* -w /tmp/test.%Y-%m-%dT%H:%M.pcap
* Save dump to file. Ex. test.2015-08-11T12:16.pcap
* -Z root
* Run as root user. //I had some permission problems with the default user (tcpdump)//