====== tcpdump ====== ==== Filtering ==== tcpdump uses packet filter syntax for filtering. For help see


man 7 pcap-filter

==== Port include ====


tcpdump -n -tttt -i rl0 dst port 221027

==== Host include ====


tcpdump -n -tttt -i rl0 host 192.168.10.2

==== SSH exclude ====


tcpdump -n -i rl0 'not port 22'

==== Dump full Packages for Wireshark ====


tcpdump -s 65535 -w /tmp/test.pcap

==== Filter IPv6 Network ====


tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'

==== Show IPsec packets ====


tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'

==== Dump for Wireshark with rotation ====


tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root

* -i lo * Listen on loopback interface. * -G $((10*60)) * Rotate logs every 10 minutes. * -s 65535 * Capture full package. * -w /tmp/test.%Y-%m-%dT%H:%M.pcap * Save dump to file. Ex. test.2015-08-11T12:16.pcap * -Z root * Run as root user. //I had some permission problems with the default user (tcpdump)//