The all knowing TCPdump page with examples

I would really like this page to be a place where I and others can grab tcpdump syntax that we’ve forgotten over time and didn’t want to find the exact google query we used previously to find the syntax we needed.

You can do tcpdump on any interface and look for network subnets or hosts. ex

tcpdump -nni eth2 net 8.8.8.0/8 or net 1.1.1.0/8

For finding CDP packets.

tcpdump -nni -v eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' 

juniper LLDP

tcpdump -nn -v -i eth0 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

For finding narrowing down packets in or out of an interface. Use -Q or -P depending on tcpdump version.

tcpdump -nni eth0 -P out ether src 84:b8:02:f2:26:d0

adding onto the last pcap you can also easily check for TCP flags for finding RST only packets.

tcpdump -nni eth0 -P out ether src 84:b8:02:f2:26:d0 -v 'tcp[tcpflags] & (tcp-rst) !=0'

adding on further.  Looking for packets not flagged as PSH and ACK with not source mac coming out of an interface, saving it to a file and then only capturing 100 packets.

tcpdump -nni eth0 -P out src port 443 and "tcp[tcpflags] & (tcp-push|tcp-ack) != 0" and not ether src 84:b8:02:f2:26:d0 -w testing.pcap -v -c 100

This one is giving us layer 2 info. No tcp SYN set and only 100 packets.

tcpdump -enni eth0 -c 100 "tcp[tcpflags] & (tcp-syn) != 0"

If you are spanning a port and want to quickly know the MAC of the Switch, this should give you src mac.

tcpdump -enni eth0 -c 1 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" | cut -d" " -f2

This should get you the upstream devices MAC in the above situation.

tcpdump -enni eth0 -c 1 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" | cut -d" " -f4 | cut -d"," -f1

If you want to get a bit fancier and have access to linux binaries. This will ensure that you get a better idea by averaging more packets as part of the analysis.

tcpdump -enni eth0 -Q in -c 20 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" 2>&1 | grep "ethertype" | cut -d" " -f2 | sort -n | uniq -c | sort -n -r -k1 | head -n 1 |cut -d" " -f7

Same with the upstream device mac.

tcpdump -enni eth0 -Q in -c 20 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" 2>&1 | grep "ethertype" | cut -d" " -f4 | cut -d"," -f1 | sort -n | uniq -c | sort -n -r -k1 | head -n 1 |cut -d" " -f7

 

And to steal some great examples from https://hackertarget.com/tcpdump-examples/

tcpdump -nn -A -s1500 -l | grep "User-Agent:"
 tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

 

HTTP GET request and HTTP POST

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

And an explanation on how this capture filter works.

“The hexadecimal being matched in these expressions matches the ascii for GET and POST.

As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.”

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
	POST /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /favicon.ico HTTP/1.1
	Host: dev.example.com
	GET / HTTP/1.1
	Host: dev.example.com

 

HTTP PASSWORDS in POST requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1