20 Advanced Tcpdump Examples in Linux

Table of Contents

Tcpdump command is very powerful to capture network packets with different tcpdump filters on Linux.

This tutorial will show us how to isolate traffic with 20 advanced tcpdump examples—source IP, multiple interfaces, tcpdump all interfaces, multiple protocols, UDP, multiple ports, multiple hosts, tcp flags, port, port range.

Captured data with different tcpdump options are generally written into a file with pcap extension. Pcap files can be read and parsed with popular GUI based network tool Wireshark.

Capture the traffic based on time interval

combine -G {sec} (rotate dump files every x seconds) and -W {count} (limit # of dump files)

tcpdump -G 15 -W 1 -w myfile -i eth0 ‘port 8080’

timeout 5400 tcpdump -i eth0 ‘port 8080’ -w myfile

Capture the traffic on all interfaces

tcpdump -i any

Capture the traffic for multiple protocols

tcpdump -i interface ssh or dhcp

Capture the traffic for UDP

tcpdump -i interface UDP

Capture the traffic on multiple ports

tcpdump -i interface port 22 or port 53

Capture the traffic on multiple hosts

$ tcpdump -i interface src or src

Capture the traffic for port range

tcpdump portrange 21-23

Capture traffic based on packet size

  • tcpdump less 32
  • tcpdump greater 64
  • tcpdump <=128

Capture traffic from source IP and destined for a specific port

tcpdump -i interface src and dst port 3389

Capture traffic from a host that isn’t on a specific port

tcpdump -i interface -vv src mars and not dst port 22

Capture TCP flags with examples

Tcp flag is at offset 13 in the TCP header. So we can use tcp[13] to filter TCP flags.

In tcpdump‘s flag field output, we can see these flags. Most of the time, it doesn’t work if we capture packets with only one TCP flag.

For example, for PSH packets, we need to capture PSH ACK two flags. Please check this post for more details about how to filter tcp packets with tcp flags.

  • proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
  • proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]
  • proto[x:y] & z !=0 : some bits are set when applying mask z to proto[x:y]
  • proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]
  • proto[x:y] = z : p[x:y] has exactly the bits set to z

Understanding TCP Flags SYN ACK RST FIN URG PSH

Isolate TCP RST flags

  • tcpdump ‘tcp[13] & 4!=0’
  • tcpdump ‘tcp[tcpflags] == tcp-rst’

Isolate TCP SYN flags

  • tcpdump ‘tcp[13] & 2!=0’
  • tcpdump ‘tcp[tcpflags] == tcp-syn’

Isolate packets that have both the SYN and ACK flags set

  • tcpdump ‘tcp[13]=18’

Isolate TCP URG flags

  • tcpdump ‘tcp[13] & 32!=0’
  • tcpdump ‘tcp[tcpflags] == tcp-urg’

Isolate TCP ACK flags

tcpdump ‘tcp[13] & 16!=0’
tcpdump ‘tcp[tcpflags] == tcp-ack’

Isolate TCP PSH flags

tcpdump ‘tcp[13] & 8!=0’
tcpdump ‘tcp[tcpflags] == tcp-push’

Understanding PSH ACK TCP Flags

Isolate TCP FIN flags

tcpdump ‘tcp[13] & 1!=0’
tcpdump ‘tcp[tcpflags] == tcp-fin’

Related Post: