tcpdump cheat sheet for vulnerability assessment and penetration testing

This tcpdump cheat sheet provides essential commands for each phase of vulnerability assessment and penetration testing, from initial reconnaissance to post-exploitation monitoring and analysis.

Installation & Setup

Installing tcpdump across different platforms and verifying the installation.

bash

# Install on Kali Linux (pre-installed)
sudo apt update && sudo apt install tcpdump

# Install on Ubuntu/Debian
sudo apt install tcpdump

# Install on CentOS/RHEL
sudo yum install tcpdump
# or
sudo dnf install tcpdump

# Install on macOS
brew install tcpdump

# Install on Windows (via WSL or WinPcap version)
# Download from: https://www.winpcap.org/

# Verify installation
tcpdump --version

# Check available interfaces
tcpdump -D

# Install additional analysis tools
sudo apt install wireshark tshark ngrep

Network Reconnaissance Phase

Capturing initial network traffic to identify targets, services, and network patterns.

bash

# Capture on specific interface
tcpdump -i eth0

# Capture all traffic on network
tcpdump -i any

# Capture and display in verbose mode
tcpdump -i eth0 -v

# Capture with IP addresses (no DNS resolution)
tcpdump -i eth0 -n

# Capture specific number of packets
tcpdump -i eth0 -c 100

# Capture and save to file for later analysis
tcpdump -i eth0 -w reconnaissance.pcap

# Capture traffic to/from specific host
tcpdump -i eth0 host 192.168.1.100

# Capture traffic on specific port
tcpdump -i eth0 port 80

# Capture traffic between two hosts
tcpdump -i eth0 host 192.168.1.100 and host 192.168.1.200

Service Discovery & Fingerprinting

Identifying running services, versions, and banner information through traffic analysis.

bash

# Capture HTTP traffic to identify web servers
tcpdump -i eth0 -A -s 0 port 80

# Capture HTTPS handshakes to identify services
tcpdump -i eth0 -s 0 -A 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

# Capture DNS queries to map network services
tcpdump -i eth0 -n port 53

# Capture FTP traffic for service identification
tcpdump -i eth0 -A port 21

# Capture SSH connection attempts
tcpdump -i eth0 -A port 22

# Capture SMTP/POP3/IMAP traffic
tcpdump -i eth0 -A port 25 or port 110 or port 143

# Capture database traffic
tcpdump -i eth0 -A port 3306 or port 5432 or port 1433

# Capture SMB/NetBIOS traffic
tcpdump -i eth0 -A port 135 or port 139 or port 445

Vulnerability Detection Phase

Capturing traffic patterns that indicate vulnerabilities or misconfigurations.

bash

# Capture plaintext credentials (HTTP, FTP, Telnet)
tcpdump -i eth0 -A 'port 80 or port 21 or port 23' | grep -i 'pass\|pwd\|login'

# Detect SQL injection attempts
tcpdump -i eth0 -s 0 -A 'port 80' | grep -E '(union|select|insert|drop|--|1=1)'

# Capture LDAP traffic for analysis
tcpdump -i eth0 -A port 389 or port 636

# Detect directory traversal attempts
tcpdump -i eth0 -s 0 -A 'port 80' | grep -E '(\.\./|\.\.\\)'

# Capture NTP amplification attacks
tcpdump -i eth0 -n 'udp port 123 and src net 192.168.1.0/24'

# Detect DNS tunneling attempts
tcpdump -i eth0 -n 'udp port 53 and (udp[10] & 0x80 = 0)'

# Capture ICMP traffic for covert channels
tcpdump -i eth0 -n 'icmp and not icmp[0] = 8 and not icmp[0] = 0'

Exploitation & Post-Exploitation Monitoring

Capturing attack traffic, payload delivery, and post-exploitation activities.

bash

# Capture reverse shell connections
tcpdump -i eth0 -n 'tcp and (tcp[13] & 2 != 0)' and 'not port 22'

# Monitor for meterpreter traffic patterns
tcpdump -i eth0 -A 'tcp and (tcp[13] & 8 != 0)' and 'not port 80 and not port 443'

# Capture file uploads/downloads
tcpdump -i eth0 -A -s 0 'port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

# Detect port scanning activity
tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0'

# Capture data exfiltration attempts
tcpdump -i eth0 -A 'port 53 or port 443 or port 8080' | head -1000

# Monitor for lateral movement (SMB, RDP, WinRM)
tcpdump -i eth0 -A 'port 445 or port 3389 or port 5985 or port 5986'

# Capture password spraying attacks
tcpdump -i eth0 -n 'port 445 and host 192.168.1.100' | grep -c 'SMB'

Protocol-Specific Analysis

Deep packet inspection for specific protocols and services.

bash

# HTTP/HTTPS traffic analysis
tcpdump -i eth0 -s 0 -A 'tcp port 80 or tcp port 8080 or tcp port 443'

# Capture full HTTP requests
tcpdump -i eth0 -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

# Capture full HTTP responses
tcpdump -i eth0 -s 0 -A 'tcp src port 80'

# SSH traffic analysis (headers only)
tcpdump -i eth0 -n 'tcp port 22 and (tcp[((tcp[12] & 0xf0) >> 2):4] = 0x5353482d)'

# DNS query analysis
tcpdump -i eth0 -n -s 0 'udp port 53'

# SMTP traffic with email content
tcpdump -i eth0 -A 'tcp port 25'

# VoIP/SIP traffic capture
tcpdump -i eth0 -s 0 -A 'udp port 5060 or udp portrange 10000-20000'

Advanced Filtering & Performance

Optimizing captures for specific scenarios and high-traffic environments.

bash

# Capture with buffer size optimization
tcpdump -i eth0 -B 4096 -w capture.pcap

# Capture with slice length to save space
tcpdump -i eth0 -s 96 -w headers_only.pcap

# Capture with ring buffer (multiple files)
tcpdump -i eth0 -w capture_%Y-%m-%d_%H-%M-%S.pcap -G 3600 -W 24

# BPF (Berkeley Packet Filter) advanced filters
tcpdump -i eth0 'src net 192.168.1.0/24 and not dst net 192.168.1.0/24'

# Capture only TCP SYN packets
tcpdump -i eth0 'tcp[13] & 2 != 0'

# Capture only TCP RST packets
tcpdump -i eth0 'tcp[13] & 4 != 0'

# Capture fragmented packets
tcpdump -i eth0 'ip[6] & 0x20 != 0 or ip[6] & 0x1f != 0'

# Performance-optimized capture (minimal output)
tcpdump -i eth0 -q -l -t -w optimized.pcap

Analysis & Reporting

Analyzing captured traffic and generating reports for vulnerability assessment.

bash

# Read from capture file with filters
tcpdump -r capture.pcap 'host 192.168.1.100'

# Extract HTTP requests from capture
tcpdump -r capture.pcap -A 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

# Count packets by protocol
tcpdump -r capture.pcap -n | awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -n

# Extract all DNS queries
tcpdump -r capture.pcap -n 'udp port 53' | grep -o 'A?.*' | cut -d' ' -f1

# Generate statistics report
tcpdump -r capture.pcap -q -n | head -1000 | awk '{print $3, $5}' | sort | uniq -c | sort -rn

# Convert to other formats for analysis
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst -e tcp.port

# Extract all email addresses from traffic
tcpdump -r capture.pcap -A | grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"

Quick Reference - Common Filters

bash

# By host/network
tcpdump host 192.168.1.100
tcpdump net 192.168.1.0/24
tcpdump src 192.168.1.100
tcpdump dst 192.168.1.200

# By port/protocol
tcpdump port 80
tcpdump portrange 1-1024
tcpdump tcp
tcpdump udp
tcpdump icmp

# By packet characteristics
tcpdump less 64        # Small packets
tcpdump greater 1024   # Large packets
tcpdump 'tcp[13] & 2 != 0'  # SYN packets
tcpdump 'tcp[13] & 16 != 0' # ACK packets

# Combined filters
tcpdump 'src 192.168.1.100 and (port 80 or port 443)'
tcpdump 'net 192.168.1.0/24 and not port 22'