Master tcpdump: Essential Commands for Network Troubleshooting and Security

Fundamentals

Common Parameters

The following command shows typical parameters used with tcpdump: $ sudo tcpdump -i eth0 -nn -s0 -v port 80 -i : Interface to capture on (e.g., Ethernet, wireless, or VLAN).

-nn : Do not resolve hostnames or port names.

-s0 : Capture the full packet (no size limit).

-v : Increase verbosity; -vv provides even more detail.

port 80 : Filter traffic on port 80.

Display ASCII Text

The -A option includes ASCII strings in the output, making it easy to pipe to grep for further analysis. The -X option shows both hex and ASCII.

$ sudo tcpdump -A -s0 port 80

Protocol‑Based Capture

Filter by protocol, e.g., UDP:

$ sudo tcpdump -i eth0 udp
$ sudo tcpdump -i eth0 proto 17

TCP is protocol 6.

IP‑Based Capture

Use host to capture both source and destination IP traffic: $ sudo tcpdump -i eth0 host 10.10.1.1 Or capture only one direction with src or dst:

$ sudo tcpdump -i eth0 src 10.10.1.20
$ sudo tcpdump -i eth0 dst 10.10.1.20

Write Capture to File

Save packets to a file for later analysis with tools like Wireshark:

$ sudo tcpdump -i eth0 -s0 -w test.pcap

Line‑Buffering Mode

Use -l for line buffering or -C for packet‑size buffering, allowing immediate piping to other commands:

$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Combined Filters

Logical operators can combine filters:

and or &&
or or ||
not or !

Usage Examples

Extract HTTP User‑Agent

$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"

Capture Only HTTP GET and POST Packets

$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Extract HTTP Request URLs

$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Extract HTTP Passwords from POST Requests

$ sudo tcpdump -s 0 -A -n -l | egrep -i -B5 "pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user "

Capture Cookies

$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture All ICMP Packets

$ sudo tcpdump -n icmp

Filter Non‑Echo ICMP Packets

$ sudo tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture SMTP/POP3/IMAP/FTP Plain‑Text Passwords

$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass |user '

DHCP Monitoring

$ sudo tcpdump -v -n port 67 or 68

Capture NTP Queries and Responses

$ sudo tcpdump dst port 123

Capture SNMP Queries and Responses

$ sudo tcpdump -n -s0 port 161 and udp

Capture FTP Credentials and Commands

$ sudo tcpdump -nn -v port ftp or ftp-data

Rotate Capture Files

Use -W, -G, and -C to automatically create new files of fixed size or time interval:

$ tcpdump -w /tmp/capture-%H.pcap -G 3600 -C 200

Capture IPv6 Traffic

$ tcpdump -nn ip6 proto 6
$ tcpdump -nr ipv6-test.pcap ip6 proto 17

Detect Port Scans

$ tcpdump -nn

Filter Nmap NSE Script Tests

$ nmap -p 80 --script=http-enum.nse targetip
$ tcpdump -nn port 80 | grep "GET /"

Capture Non‑Localhost Session Start/End Packets

$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Capture DNS Requests and Responses

$ sudo tcpdump -i wlp58s0 -s0 port 53

Capture HTTP Traffic on Port 80

$ tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Live Capture to Wireshark via SSH

$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

Rank Hosts by Packet Count

$ sudo tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Capture All Plain‑Text Passwords

$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '