tcpdump - Packet Capture

1# Linux
2sudo apt install tcpdump
3
4# macOS (pre-installed)
5# Or update with brew
6brew install tcpdump
7
8# Verify
9tcpdump --version

 1# Capture on default interface
 2sudo tcpdump
 3
 4# Capture on specific interface
 5sudo tcpdump -i eth0
 6sudo tcpdump -i wlan0
 7
 8# List interfaces
 9tcpdump -D
10ip link show
11
12# Capture N packets
13sudo tcpdump -c 10
14
15# Verbose output
16sudo tcpdump -v
17sudo tcpdump -vv
18sudo tcpdump -vvv
19
20# Show packet contents (hex + ASCII)
21sudo tcpdump -X
22
23# Show packet contents (hex)
24sudo tcpdump -xx
25
26# Don't resolve hostnames (faster)
27sudo tcpdump -n
28
29# Don't resolve port names
30sudo tcpdump -nn

 1# Capture traffic to/from specific host
 2sudo tcpdump host 192.168.1.100
 3
 4# Traffic from specific host
 5sudo tcpdump src host 192.168.1.100
 6
 7# Traffic to specific host
 8sudo tcpdump dst host 192.168.1.100
 9
10# Multiple hosts
11sudo tcpdump host 192.168.1.100 or host 192.168.1.101

 1# Specific port
 2sudo tcpdump port 80
 3sudo tcpdump port 443
 4
 5# Source port
 6sudo tcpdump src port 80
 7
 8# Destination port
 9sudo tcpdump dst port 443
10
11# Port range
12sudo tcpdump portrange 8000-9000
13
14# Multiple ports
15sudo tcpdump port 80 or port 443

 1# TCP only
 2sudo tcpdump tcp
 3
 4# UDP only
 5sudo tcpdump udp
 6
 7# ICMP (ping)
 8sudo tcpdump icmp
 9
10# ARP
11sudo tcpdump arp
12
13# IPv6
14sudo tcpdump ip6

1# Specific network
2sudo tcpdump net 192.168.1.0/24
3
4# Source network
5sudo tcpdump src net 192.168.1.0/24
6
7# Destination network
8sudo tcpdump dst net 10.0.0.0/8

 1# HTTP traffic
 2sudo tcpdump 'tcp port 80 or tcp port 443'
 3
 4# SSH traffic
 5sudo tcpdump 'tcp port 22'
 6
 7# DNS queries
 8sudo tcpdump 'udp port 53'
 9
10# Traffic between two hosts
11sudo tcpdump 'host 192.168.1.100 and host 192.168.1.101'
12
13# Traffic NOT from specific host
14sudo tcpdump 'not host 192.168.1.100'
15
16# HTTP GET requests
17sudo tcpdump -A 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'
18
19# SYN packets (connection attempts)
20sudo tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
21
22# RST packets
23sudo tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

 1# Save to file
 2sudo tcpdump -w capture.pcap
 3
 4# Save with rotation (100MB files)
 5sudo tcpdump -w capture.pcap -C 100
 6
 7# Save N files then stop
 8sudo tcpdump -w capture.pcap -C 100 -W 5
 9
10# Read from file
11tcpdump -r capture.pcap
12
13# Read and filter
14tcpdump -r capture.pcap 'port 80'
15
16# Read and save filtered
17tcpdump -r capture.pcap -w filtered.pcap 'port 80'

1# Capture HTTP requests and responses
2sudo tcpdump -i eth0 -A 'tcp port 80'
3
4# Save HTTP traffic
5sudo tcpdump -i eth0 -w http.pcap 'tcp port 80'
6
7# Show HTTP headers
8sudo tcpdump -i eth0 -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

1# Capture TLS/SSL handshake
2sudo tcpdump -i eth0 'tcp port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2)] = 0x16)'

1# All DNS traffic
2sudo tcpdump -i eth0 'udp port 53'
3
4# DNS queries only
5sudo tcpdump -i eth0 'udp port 53 and udp[10] & 0x80 = 0'
6
7# DNS responses only
8sudo tcpdump -i eth0 'udp port 53 and udp[10] & 0x80 = 0x80'

1# All ICMP
2sudo tcpdump -i eth0 icmp
3
4# Ping requests
5sudo tcpdump -i eth0 'icmp[icmptype] = icmp-echo'
6
7# Ping replies
8sudo tcpdump -i eth0 'icmp[icmptype] = icmp-echoreply'

1# ARP requests and replies
2sudo tcpdump -i eth0 arp
3
4# ARP requests only
5sudo tcpdump -i eth0 'arp[6:2] = 1'
6
7# ARP replies only
8sudo tcpdump -i eth0 'arp[6:2] = 2'

1# Monitor connection between two hosts
2sudo tcpdump -i eth0 'host 192.168.1.100 and host 192.168.1.101'
3
4# Monitor specific TCP connection
5sudo tcpdump -i eth0 'host 192.168.1.100 and port 22'

1# Absolute timestamps
2sudo tcpdump -tttt
3
4# Relative timestamps (since first packet)
5sudo tcpdump -ttt
6
7# Delta timestamps (since previous packet)
8sudo tcpdump -tttt

1# Packets larger than 1000 bytes
2sudo tcpdump 'greater 1000'
3
4# Packets smaller than 100 bytes
5sudo tcpdump 'less 100'

1# Capture only first 96 bytes of each packet (default)
2sudo tcpdump -s 96
3
4# Capture full packets
5sudo tcpdump -s 0
6
7# Capture only headers (68 bytes)
8sudo tcpdump -s 68

1# Rotate files every 100MB, keep 10 files
2sudo tcpdump -i eth0 -w capture-%Y%m%d-%H%M%S.pcap -C 100 -W 10
3
4# Rotate files every 60 seconds
5sudo tcpdump -i eth0 -w capture.pcap -G 60 -W 10

1# Capture and pipe to Wireshark
2sudo tcpdump -i eth0 -U -w - | wireshark -k -i -
3
4# Or save and open
5sudo tcpdump -i eth0 -w capture.pcap
6wireshark capture.pcap

 1# Find container network interface
 2docker inspect <container_id> | grep NetworkMode
 3
 4# Capture container traffic
 5sudo tcpdump -i docker0
 6
 7# Capture specific container
 8sudo tcpdump -i docker0 'host <container_ip>'
 9
10# Enter container network namespace
11sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' <container>) -n tcpdump -i eth0

 1# Basic
 2sudo tcpdump -i eth0                    # Capture on eth0
 3sudo tcpdump -i eth0 -c 100             # Capture 100 packets
 4sudo tcpdump -i eth0 -nn                # No name resolution
 5
 6# Filters
 7sudo tcpdump host 192.168.1.100        # Specific host
 8sudo tcpdump port 80                    # Specific port
 9sudo tcpdump tcp                        # TCP only
10sudo tcpdump net 192.168.1.0/24        # Specific network
11
12# Save/Read
13sudo tcpdump -w file.pcap              # Save to file
14tcpdump -r file.pcap                   # Read from file
15
16# Display
17sudo tcpdump -A                        # ASCII output
18sudo tcpdump -X                        # Hex + ASCII
19sudo tcpdump -v                        # Verbose