# tcpdump cheat sheet for netadmins/sysadmins A quick-reference guide for packet capture, filtering, and network analysis using TCPDump—essential for netadmins and sysadmins troubleshooting connectivity, monitoring traffic, and diagnosing security issues. This cheat sheet covers: ✔ **Basic & advanced packet capture**\ ✔ **Filtering by host, port, protocol, and more**\ ✔ **Output customization & performance tuning**\ ✔ **Real-world use cases (HTTP, DNS, SSH, etc.)** ## **TCPDump Cheat Sheet for NetAdmins & SysAdmins** *Packet Capture, Filtering, and Analysis* *** ### **1. Basic Capture** #### **Capture on Any Interface** sh ``` tcpdump -i any ``` * `-i any`: Listen on all interfaces. #### **Capture on Specific Interface** sh ``` tcpdump -i eth0 ``` * `-i eth0`: Listen on `eth0`. #### **Save Capture to File** sh ``` tcpdump -i eth0 -w capture.pcap ``` * `-w`: Write raw packets to file (`.pcap` format). #### **Read from a PCAP File** sh ``` tcpdump -r capture.pcap ``` * `-r`: Read from a saved capture file. #### **Limit Number of Packets** sh ``` tcpdump -c 100 ``` * `-c 100`: Capture only 100 packets. *** ### **2. Filtering Traffic** #### **Filter by Host (IP)** sh ``` tcpdump host 192.168.1.100 ``` * Capture traffic **to/from** `192.168.1.100`. #### **Filter by Source/Destination IP** sh ``` tcpdump src 192.168.1.1 tcpdump dst 192.168.1.100 ``` * `src`: Only **source** IP. * `dst`: Only **destination** IP. #### **Filter by Port** sh ``` tcpdump port 80 tcpdump portrange 20-23 ``` * `port`: Single port. * `portrange`: Range of ports. #### **Filter by Protocol** sh ``` tcpdump icmp tcpdump tcp tcpdump udp tcpdump arp ``` * Capture only specific protocols. #### **Filter by Network (CIDR)** sh ``` tcpdump net 192.168.1.0/24 ``` * Capture traffic within a subnet. #### **Combine Filters (AND/OR)** sh ``` tcpdump "src 192.168.1.1 and (dst port 80 or dst port 443)" ``` * Use `and`, `or`, `not` for complex filters. *** ### **3. Advanced Filtering (BPF Syntax)** #### **Filter by TCP Flags** sh ``` tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' ``` * `tcp-syn`: SYN packets. * `tcp-ack`: ACK packets. * `tcp-rst`: RST packets. #### **Filter by Packet Size** sh ``` tcpdump greater 1000 tcpdump less 500 ``` * `greater`: Packets larger than X bytes. * `less`: Packets smaller than X bytes. #### **Filter by MAC Address** sh ``` tcpdump ether host 00:1A:2B:3C:4D:5E ``` * Capture traffic **to/from** a MAC address. #### **Filter VLAN Traffic** sh ``` tcpdump vlan 100 ``` * Capture traffic on VLAN 100. *** ### **4. Output & Verbosity** #### **Show IPs Instead of Hostnames** sh ``` tcpdump -n ``` * `-n`: Disable DNS resolution (faster). #### **Verbose Output** sh ``` tcpdump -v tcpdump -vv tcpdump -vvv ``` * `-v`: More details (checksum, TTL, etc.). #### **Print Packet Contents (Hex & ASCII)** sh ``` tcpdump -XX ``` * `-XX`: Full packet hex dump. #### **Show Absolute Sequence Numbers** sh ``` tcpdump -S ``` * `-S`: Displays raw TCP sequence numbers. #### **Timestamps** sh ``` tcpdump -tttt ``` * `-tttt`: Human-readable timestamps. *** ### **5. Advanced Capture & Analysis** #### **Capture Only HTTP Traffic** sh ``` tcpdump -i eth0 port 80 -A ``` * `-A`: Print ASCII (useful for HTTP headers). #### **Capture FTP Passwords (Cleartext)** sh ``` tcpdump -i eth0 port 21 -A ``` * FTP sends credentials in plaintext. #### **Capture DNS Queries** sh ``` tcpdump -i eth0 port 53 ``` * Monitor DNS requests/responses. #### **Capture ICMP (Ping/Traceroute)** sh ``` tcpdump -i eth0 icmp ``` * Useful for troubleshooting connectivity. #### **Capture Only SYN Packets (New Connections)** sh ``` tcpdump 'tcp[13] & 2 != 0' ``` * Filters TCP SYN packets (new connections). *** ### **6. Performance & Storage Optimization** #### **Limit Packet Size** sh ``` tcpdump -s 96 ``` * `-s 96`: Capture only first 96 bytes (reduces size). #### **Rotate Capture Files** sh ``` tcpdump -i eth0 -w capture_%Y-%m-%d.pcap -G 3600 ``` * `-G 3600`: Rotate file every hour. #### **Stop After X MB** sh ``` tcpdump -i eth0 -C 100 -w capture.pcap ``` * `-C 100`: Split files every 100MB. #### **Run in Background** sh ``` tcpdump -i eth0 -w capture.pcap & ``` * `&`: Run in background (use `jobs` to check). *** ### **7. Common Use Cases** | **Task** | **Command** | | -------------------------- | ---------------------------------------------------- | | **Capture HTTP traffic** | `tcpdump -i eth0 port 80 -A` | | **Capture SSH traffic** | `tcpdump -i eth0 port 22` | | **Find suspicious IPs** | `tcpdump -n "src net 192.168.1.0/24"` | | **Monitor VoIP (SIP/RTP)** | `tcpdump -i eth0 port 5060 or portrange 10000-20000` | | **Detect ARP Spoofing** | `tcpdump -i eth0 arp` | *** ### **8. Quick Reference Table** | **Option** | **Description** | | -------------- | --------------------- | | `-i eth0` | Listen on `eth0` | | `-w file.pcap` | Save to file | | `-r file.pcap` | Read from file | | `-c 100` | Capture 100 packets | | `-n` | Disable DNS lookup | | `-v` | Verbose output | | `-XX` | Hex + ASCII dump | | `src/dst` | Filter by source/dest | | `port 80` | Filter by port | | `icmp/tcp/udp` | Filter by protocol | *** **Pro Tips:**\ ✔ Use `-n` for faster captures (avoids DNS lookups).\ ✔ Combine with `grep` for deeper analysis: sh ``` tcpdump -i eth0 -A | grep "GET /" ``` ✔ Always **verify permissions** before capturing (`sudo` often required). **For More:** * `man tcpdump` * [BPF Filter Syntax](https://www.tcpdump.org/manpages/pcap-filter.7.html) *** ### tcpdump’s offensive use cases with command examples **1. Sniffing Plaintext Credentials** **Purpose**: Capture unencrypted usernames, passwords, or session tokens. **Commands & Techniques** * **HTTP Basic Auth**: sh ``` tcpdump -i eth0 'port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x41555448' -A ``` * Filters HTTP traffic for `AUTH` strings (Base64 credentials). * **FTP/Telnet Credentials**: sh ``` tcpdump -i eth0 'port 21 or port 23' -A -l | grep -i 'user\|pass' ``` * Captures FTP/Telnet login attempts in plaintext. *** **2. Reconnaissance (Network Mapping)** **Purpose**: Identify live hosts, open ports, and services. **Commands & Techniques** * **Detect ARP Requests** (Local Network): sh ``` tcpdump -i eth0 'arp' -nn ``` * Lists devices on the same subnet. * **Capture ICMP (Ping Sweeps)**: sh ``` tcpdump -i eth0 'icmp[icmptype] == icmp-echo' -nn ``` * Reveals hosts responding to ping probes. *** **3. Man-in-the-Middle (MitM) Attacks** **Purpose**: Intercept/modify traffic between two parties. **Commands & Techniques** * **ARP Spoofing Traffic Capture**: sh ``` tcpdump -i eth0 'host 192.168.1.105 and not arp' -w victim.pcap ``` * Captures all traffic to/from a victim IP (after ARP poisoning). * **Session Hijacking (Cookies)**: sh ``` tcpdump -i eth0 'port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x434f4f4b)' -A ``` * Filters HTTP traffic for `COOK` (cookie headers). *** **4. Exploit Development Support** **Purpose**: Analyze protocols/apps for vulnerabilities. **Commands & Techniques** * **Capture Vulnerable Protocols**: sh ``` tcpdump -i eth0 'port 161 and udp' -w snmp_traffic.pcap ``` * Captures SNMP (UDP/161) traffic for protocol analysis. * **Detect Buffer Overflow Patterns**: sh ``` tcpdump -i eth0 'tcp port 9999 and greater 1000' -X ``` * Inspects large payloads sent to a custom service (e.g., for crash analysis). *** **5. Data Exfiltration Monitoring** **Purpose**: Identify data being smuggled out of a network. **Commands & Techniques** * **DNS Tunneling Detection**: sh ``` tcpdump -i eth0 'dst port 53 and length > 100' -nn ``` * Flags long DNS queries (possible tunneling). * **HTTP File Uploads**: sh ``` tcpdump -i eth0 'port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354' -A ``` * Captures HTTP `POST` requests (file uploads). *** **Key Takeaways** * **Offensive Power**: tcpdump can be weaponized for stealthy attacks. * **Critical Mitigation**: * Encrypt all traffic (SSH/TLS/IPSec). * Use VLANs/port security to limit sniffing. * Monitor for unauthorized tcpdump processes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dti-techs.gitbook.io/practical-foundations-in-cybersecurity/6.-practical-foundations-in-ethical-hacking/network-security-testing/tcpdump-cheat-sheet-for-netadmins-sysadmins.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.