20 Advanced Tcpdump Examples On Linux

Updated: a day ago



Tcpdump command is very powerful to capture network packets on Linux. This tutorial will show you how to isolate traffic with 20 advanced tcpdump examples—time interval, multiple ports, multiple hosts, tcp flags, packet size. Captured data is generally written into a file with pcap extension. Pcap files can be read and parsed with popular GUI based network tool Wireshark.


  • Capture the traffic based on time interval

  • Capture the traffic on multiple ports

  • Capture the traffic on multiple hosts

  • Capture the traffic for port range

  • Capture traffic from specific ip and destined for a specific port

  • Capture traffic from a host that isn’t on a specific port

  • Isolate TCP flags with examples

  • Isolate TCP RST flags.

  • Isolate TCP SYN flags.

  • Isolate packets that have both the SYN and ACK flags set.

  • Isolate TCP URG flags.

  • Isolate TCP ACK flags.

  • Isolate TCP PSH flags.

  • Isolate TCP FIN flags.


Capture the traffic based on time interval

combine -G {sec} (rotate dump files every x seconds) and -W {count} (limit # of dump files)

tcpdump -G 15 -W 1 -w myfile -i eth0 'port 8080'
timeout 5400 tcpdump -i eth0 'port 8080' -w myfile 


Capture the traffic on multiple ports

tcpdump port 22 or port 53

Capture the traffic on multiple hosts

$ tcpdump src 192.168.0.10 or src 192.168.0.10 

Capture the traffic for port range

 tcpdump portrange 21-23

Capture traffic based on packet size

tcpdump less 32
tcpdump greater 64
tcpdump <=128

Capture traffic from specific ip and destined for a specific port

tcpdump  src 10.5.2.3 and dst port 3389

Capture traffic from a host that isn’t on a specific port

tcpdump -vv src mars and not dst port 22

Isolate TCP flags with examples

Tcp flag is at offset 13 in the TCP header. So we can use tcp[13] to filter TCP flags.

In tcpdump‘s flag field output, we can see these flags. Please check this post for more details about how to filter tcp packets with tcp flags.


  • proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)

  • proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]

  • proto[x:y] & z !=0 : some bits are set when applying mask z to proto[x:y]

  • proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]

  • proto[x:y] = z : p[x:y] has exactly the bits set to z




Isolate TCP RST flags.

tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set

tcpdump 'tcp[13]=18'

Isolate TCP URG flags

tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags

tcpdump 'tcp[13] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags

tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-push'

Isolate TCP FIN flags

tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'

Related Post:

10 Useful Linux tcpdump examples

Learn tcpdump Quick Guide

20 Advanced Tcpdump Examples On Linux

Linux Tcpdump: Filter ipv6 ntp ping packets


532 views

Join our mail group. Get a free Linux account on Cloud.

Never miss a post!

Want a free Linux account?  This account can be used to login to our cloud server and practice Linux commands.

 
kamateravps.gif
topbackgroud.png

✔ Linux Commands   ✔ Linux Skills    ✔ LinuxPerformance   ✔ Linux Interview

Some articles are from the public internet. If you find your article misused or undesired here and you don't want us to display it, please let us know and we'll remove it immediately.