apps:tcpdump
This is an old revision of the document!
Table of Contents
tcpdump
General Information
tcpdump uses packet filter syntax for filtering. For help see
man 7 pcap-filter
Filter Examples
Port include
tcpdump -n -tttt -i rl0 dst port 221027
Host include
tcpdump -n -tttt -i rl0 host 192.168.10.2
SSH exclude
tcpdump -n -i rl0 'not port 22'
Filter IPv6 Network
tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'
Show IPsec packets
tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'
General Usage Examples
Dump full Packages for Wireshark
tcpdump -s 65535 -w /tmp/test.pcap
Dump for Wireshark with rotation
tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
- -i lo
- Listen on loopback interface.
- -G $((10*60))
- Rotate logs every 10 minutes.
- -s 65535
- Capture full package.
- -w /tmp/test.%Y-%m-%dT%H:%M.pcap
- Save dump to file. Ex. test.2015-08-11T12:16.pcap
- -Z root
- Run as root user. (default is 'tcpdump'. After attaching to the input device, tcpdump will drop its root privileges and switch the user to tcpdump (or the user specified by -Z). This means, the to write dump files with -w, this user have to be able to create and write files.)
apps/tcpdump.1726847101.txt.gz · Last modified: 2024-09-20 17:45 by Manuel Frei