Skip to content
  • Card/Note
    • Application/tcpdump
    • Application/cut date: 2023-01-31 publish: true zettelkasten: shared hide: toc search: boost: 1.5

tcpdump⚓︎


Source: https://gitlab.com/dpremy/dot-misc/-/blob/master/cheatsheets/tcpdump_cheatsheet.md

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# list all nics
tcpdump -D

# no timestamps, no name or port conversions, semi verbose, and interface eth1
tcpdump -tttt -nn -vv -i eth1

# dump all ASCII traffic
tcpdump -A

# write pcap
tcpdump -w <filename>.pcap

# read pcap
tcpdump -r <filename>.pcap

# all traffic to/from specific hosts
tcpdump host 192.168.0.1 or host 192.168.0.2

# all traffic from network
tcpdump net 10.1.1.0/24

# all traffic except from host or net
tcpdump not net 192.168.1 and not host 192.168.0.254

# all traffic on a port range, or a single port, with no name or port conversions
tcpdump portrange 7700-7750 or port 7800 -nn

# wait for 2000 packets, then list top 20 clients (DOS/DDOS)
tcpdump -nn -c 2000 | awk '{print $2}' | cut -d. -f1-4 | sort -n | uniq -c | sort -rn | head -n20