Differences

This shows you the differences between two versions of the page.

--- apps:tcpdump [2024-09-20 22:22] – Manuel Frei
+++ apps:tcpdump [2025-01-29 12:36] (current) – icmp Manuel Frei
@@ Line 31: / Line 31: @@
 ===== Filter Examples =====
-==== Port include ====
+==== Specific Port ====
 <code bash>
 tcpdump -n -tttt -i rl0 dst port 221027
 </code>
-==== Host include ====
+==== Specific Host ====
 <code bash>
 tcpdump -n -tttt -i rl0 host 192.168.10.2
 </code>
-==== SSH exclude ====
+==== Exclude SSH ====
 <code bash>
 tcpdump -n -i rl0 'not port 22'
 </code>
-==== Filter IPv6 Network ====
+==== Specific IPv6 Network ====
 <code bash>
 tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'
 </code>
-==== Show IPsec packets ====
+==== IPsec packets ====
 <code bash>
 tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'
+</code>
+==== TCP SYN packets ====
+=== IPv4 ===
+<code bash>
+tcpdump -i eth0 -nn "tcp[tcpflags] == tcp-syn"
+</code>
+=== IPv6 ===
+<code bash>
+tcpdump -i eth0 -nn "ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)"
+</code>
+=== IPv4 & IPv6 ===
+<code bash>
+tcpdump -i eth0 -nn "(tcp[tcpflags] == tcp-syn) or (ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02))"
+</code>
+==== ICMP without echo request/reply ====
+<code bash>
+tcpdump -ni eth0 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' -v
 </code>
@@ Line 70: / Line 96: @@
 ==== Dump for Wireshark with rotation ====
 <code bash>
-tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
+tcpdump -i lo -G $((10*60)) -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
 </code>
@@ Line 78: / Line 104: @@
   * -G <nowiki>$((10*60))</nowiki>
     * Rotate logs every 10 minutes.
-  * -s 65535
-    * Capture full package.
   * -w /tmp/test.%Y-%m-%dT%H:%M.pcap