Differences

This shows you the differences between two versions of the page.

--- apps:tcpdump [2014-12-18 20:08] – external edit 127.0.0.1
+++ apps:tcpdump [2019-04-26 10:44] – [Dump for Wireshark with rotation] root
@@ Line 1: / Line 1: @@
 ====== tcpdump ======
-== Port include ==
+==== Filtering ====
-  # tcpdump -n -tttt -i rl0 dst port 22102
-== Host include ==
+tcpdump uses packet filter syntax for filtering. For help see
-  # tcpdump -n -tttt -i rl0 host 192.168.10.2
+<code bash>
+man 7 pcap-filter
+</code>
-== SSH exclude ==
+==== Port include ====
-  # tcpdump -n -i rl0 'not port 22'
+<code bash>
+# tcpdump -n -tttt -i rl0 dst port 221027
+</code>
+==== Host include ====
+<code bash>
+# tcpdump -n -tttt -i rl0 host 192.168.10.2
+</code>
+==== SSH exclude ====
+<code bash>
+# tcpdump -n -i rl0 'not port 22'
+</code>
+==== Dump full Packages for Wireshark ====
+<code bash>
+# tcpdump -s 65535 -w /tmp/test.pcap
+</code>
+==== Filter IPv6 Network ====
+<code bash>
+# tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'
+</code>
+==== Show IPsec packets ====
+<code bash>
+# tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'
+</code>
+==== Dump for Wireshark with rotation ====
+<code bash>
+# tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
+</code>
+  * -i lo
+    * Listen on loopback interface.
+  * -G <nowiki>$((10*60))</nowiki>
+    * Rotate logs every 10 minutes.
+  * -s 65535
+    * Capture full package.
+  * -w /tmp/test.%Y-%m-%dT%H:%M.pcap
+    * Save dump to file. Ex. test.2015-08-11T12:16.pcap
+  * -Z root
+    * Run as root user. //I had some permission problems with the default user (tcpdump)//