Tcpdump is a powerful command-line packet analyzer. It allows us to display TCP/IP and other packets being transmitted or received over a network. We collect 30 tcpdump filters to help you learn tcpdump quickly.
Table of Contents
30 tcpdump examples to filter packets
| Switch | Syntax | Description |
|---|---|---|
| -i any | tcpdump -i any | Capture from all interfaces |
| -i eth0 | tcpdump -i eth0 | Capture from specific interface ( Ex Eth0) |
| -c | tcpdump -i eth0 -c 10 | Capture first 10 packets and exit |
| -D | tcpdump -D | Show available interfaces |
| -A | tcpdump -i eth0 -A | Print in ASCII |
| -w | tcpdump -i eth0 -w tcpdump.txt | To save capture to a file |
| -r | tcpdump -r tcpdump.txt | Read and analyze saved capture file |
| -n | tcpdump -n -I eth0 | Do not resolve host names |
| -nn | tcpdump -n -i eth0 | Stop Domain name translation and lookups (Host names or port names ) |
| tcp | tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp | Capture TCP packets only |
| port | tcpdump -i eth0 port 80 | Capture traffic from a defined port only |
| host | tcpdump host 192.168.1.100 | Capture packets from specific host |
| net | tcpdump net 10.1.1.0/16 | Capture files from network subnet |
| src | tcpdump src 10.1.1.100 | Capture from a specific source address |
| dst | tcpdump dst 10.1.1.100 | Capture from a specific destination address |
| <service> | tcpdump http | Filter traffic based on a port number for a service |
| <port> | tcpdump port 80 | Filter traffic based on a service |
| port range | tcpdump portrange 21-125 | Filter based on port range |
| -S | tcpdump -S http | Display entire packet |
| ipv6 | tcpdunp -IPV6 | Show only IPV6 packets |
How to filter MAC addresses using tcpdump?
Use the host option on the tcpdump command to limit output to a specific MAC address: tcpdump ether host aa:bb:cc:11:22:33
How to filter tcpdump on a specific port ?
Use the port option on the tcpdump command to specify a port: tcpdump ether port 80
How to read tcpdump output?
There is a read option on tcpdump, which is represented by the switch -r as in: tcpdump -r file_path_and_name
How to capture packets with tcp flag filter?
| Flag | Description |
|---|---|
| URG | Urgent pointer field is significant |
| ACK | Acknowledgment field is significant |
| PSH | Push function |
| RST | Reset the connection |
| SYN | Synchronize sequence numbers |
| FIN | No more data from sender |
| Flag | Bit Value |
|---|---|
| URG | 32 |
| ACK | 16 |
| PSH | 8 |
| RST | 4 |
| SYN | 2 |
| FIN | 1 |
| Flag Combination | Value |
|---|---|
| FIN, ACK | 17 (1 + 16) |
| SYN, ACK | 18 (2 + 16) |
| PSH, ACK | 24 (8 + 16) |
| FIN, PSH | 9 (1 + 8) |
| FIN, PSH, ACK | 25 (1 + 8 + 16) |
We can use the following ways to capture packets with syn TCP flag. Syn flag is 00000010 in tcp header. That is 2 in decimal.
tcpdump -i utun1 tcp[tcpflags] == ‘tcp-syn’
tcpdump -i utun1 tcp[13] == 2
We can use the following way to capture syn-ack packets. This is 10010 in binary and 18 in decimal.
tcpdump -i utun1 ‘tcp[13] == 18’
For psh-ack packets, we can use this way. This is 11000 in binary and 24 in decimal.
tcpdump -i utun1 ‘tcp[13] == 24’
Related post: