Ir al contenido
1337skills 1337skills - Hojas de Trucos

Tcpdump Commands

tcpdump is a powerful command-line packet capture tool that intercepts and displays TCP/IP traffic on networks. It uses the libpcap library to capture packets and supports complex filtering with Berkeley Packet Filter (BPF) syntax.

Installation

Linux/Ubuntu

sudo apt update
sudo apt install tcpdump

macOS

brew install tcpdump
# or use pre-installed version

Permissions

# Run without sudo (add user to tcpdump group)
sudo usermod -a -G tcpdump $USER
# or use capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Basic Packet Capture

Simple Captures

# Capture packets on default interface
tcpdump

# Capture on specific interface
tcpdump -i eth0

# Capture first 1000 packets
tcpdump -c 1000

# Capture with verbose output
tcpdump -v

# Very verbose output
tcpdump -vv

# Maximum verbose output
tcpdump -vvv

# Capture packets and show hex and ASCII
tcpdump -A

# Show hex dump of packet data
tcpdump -X

# Show hex dump with ASCII
tcpdump -XX

Save and Read Captures

# Save capture to file
tcpdump -w capture.pcap

# Save with snap length (smaller file size)
tcpdump -w capture.pcap -s 100

# Read from file
tcpdump -r capture.pcap

# Display file in verbose mode
tcpdump -r capture.pcap -v

# Show statistics only
tcpdump -r capture.pcap -q

# Read from multiple files
tcpdump -r file1.pcap -r file2.pcap

Filtering Packets

Interface and Protocol Filters

# Capture only IPv4 traffic
tcpdump -i eth0 ip

# Capture only IPv6 traffic
tcpdump -i eth0 ip6

# Capture TCP traffic only
tcpdump -i eth0 tcp

# Capture UDP traffic only
tcpdump -i eth0 udp

# Capture ICMP (ping) traffic
tcpdump -i eth0 icmp

# Capture DNS traffic (port 53)
tcpdump -i eth0 port 53

# Capture HTTP traffic (port 80)
tcpdump -i eth0 port 80

# Exclude certain traffic
tcpdump -i eth0 not tcp

Host and Network Filters

# Capture from specific host
tcpdump -i eth0 host 192.168.1.100

# Capture from specific subnet
tcpdump -i eth0 net 192.168.1.0/24

# Capture to/from specific host
tcpdump -i eth0 host 8.8.8.8

# Exclude specific host
tcpdump -i eth0 not host 192.168.1.1

# Capture between two hosts
tcpdump -i eth0 host 192.168.1.100 and host 8.8.8.8

# Source host only
tcpdump -i eth0 src 192.168.1.100

# Destination host only
tcpdump -i eth0 dst 8.8.8.8

# Capture from multiple hosts
tcpdump -i eth0 host 192.168.1.100 or host 192.168.1.101

Port Filters

# Capture specific port
tcpdump -i eth0 port 443

# Capture port range
tcpdump -i eth0 portrange 1000-2000

# Capture source port
tcpdump -i eth0 src port 22

# Capture destination port
tcpdump -i eth0 dst port 80

# Capture traffic on multiple ports
tcpdump -i eth0 'port 80 or port 443'

# Exclude port
tcpdump -i eth0 not port 22

# Capture higher ports only
tcpdump -i eth0 dst portrange 1024-65535

Complex Filters

# Combine multiple conditions (AND)
tcpdump -i eth0 'host 192.168.1.100 and port 80'

# Combine with OR
tcpdump -i eth0 'host 192.168.1.100 or host 192.168.1.101'

# Group conditions with parentheses
tcpdump -i eth0 '(host 192.168.1.100 or host 192.168.1.101) and port 80'

# HTTP traffic from specific subnet
tcpdump -i eth0 'net 192.168.1.0/24 and port 80'

# SSH traffic excluding specific host
tcpdump -i eth0 'port 22 and not host 192.168.1.1'

# Capture TCP flags (SYN, ACK, FIN, RST)
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'

# TCP SYN packets only
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'

# TCP FIN packets (connection closing)
tcpdump -i eth0 'tcp[tcpflags] & tcp-fin != 0'

# TCP RST packets (connection reset)
tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'

Output Formatting

Display Options

# Don't resolve addresses (faster)
tcpdump -n

# Don't resolve ports
tcpdump -n --port-number

# Timestamp format
tcpdump -tttt

# Print timestamp for each line
tcpdump -v -tt

# Relative timestamps
tcpdump -r capture.pcap -ttt

# Line-buffered output
tcpdump -l

# Quiet output (minimal info)
tcpdump -q

# Less verbose
tcpdump -q -q

# Time synchronization
tcpdump --time-stamp-precision=nano

Packet Interpretation

# Show packet payloads (ASCII)
tcpdump -A

# Show packet payloads (HEX and ASCII)
tcpdump -XX

# Show HTTP requests
tcpdump -i eth0 -A 'tcp port 80' | grep GET

# Extract URLs
tcpdump -i eth0 -w - 'tcp port 80' | tcpdump -r - -A | grep -o 'GET.*HTTP'

# Show DNS queries
tcpdump -i eth0 -A port 53 | grep -o 'A? .*\|AAAA? .*'

Advanced Packet Analysis

Statistics and Summaries

# Print only summary information
tcpdump -q -r capture.pcap

# Count packets matching filter
tcpdump -i eth0 -c 0 -s 0 -n 'tcp'

# Show packet statistics by size
tcpdump -i eth0 -v 2>&1 | grep -i "bytes"

# Capture and count packets
tcpdump -r capture.pcap | wc -l

Traffic Analysis

# Monitor bandwidth usage on interface
tcpdump -i eth0 -w - | tcpdump -r - -q

# Find traffic with specific MAC address
tcpdump -i eth0 ether host 00:11:22:33:44:55

# Capture by protocol type
tcpdump -i eth0 'tcp and dst port 443'

# Show packet loss
tcpdump -i eth0 -p 2>&1 | tail -1

# Monitor specific application
tcpdump -i eth0 'host 192.168.1.100 and port 3306'

# Track connection states
tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'

Real-World Examples

# Monitor all incoming SSH connections
tcpdump -i eth0 -n 'dst port 22'

# Capture HTTPS traffic to/from host
tcpdump -i eth0 -A 'host 192.168.1.100 and port 443'

# Monitor DNS traffic
tcpdump -i eth0 -n 'port 53' -A | grep dns

# Detect port scans
tcpdump -i eth0 -n 'tcp[tcpflags] & tcp-syn != 0'

# Monitor FTP traffic
tcpdump -i eth0 -A 'port 21'

# Capture SMTP traffic
tcpdump -i eth0 -A 'port 25 or port 587'

# Monitor DHCP requests
tcpdump -i eth0 'udp and (port 67 or port 68)'

# Track ARP requests
tcpdump -i eth0 'arp'

# Monitor NTP traffic
tcpdump -i eth0 'udp port 123'

# Capture HTTP headers only
tcpdump -i eth0 -A 'tcp port 80' | grep -A5 'GET\|POST\|HTTP'

Tcpdump with Other Tools

# Pipe to tshark for analysis
tcpdump -i eth0 -w - | tshark -r -

# Save and convert to PCAPNG format
tcpdump -i eth0 -w capture.pcap
editcap -F pcapng capture.pcap capture.pcapng

# Analyze with Wireshark
tcpdump -i eth0 -w capture.pcap
wireshark capture.pcap

# Real-time analysis with strings
tcpdump -i eth0 -A | strings | grep -i password

# Combine with grep for pattern matching
tcpdump -i eth0 -A 'port 80' | grep -i 'cookie\|user-agent'

Performance Considerations

# Set snap length for smaller captures
tcpdump -s 96

# Reduce packet count
tcpdump -c 100

# Set buffer size
tcpdump -B 4000

# Limit output to essential info
tcpdump -q -n

# Use native format (faster)
tcpdump -r capture.pcap --print

# Increase capture buffer
tcpdump -B 10000

# Run in background
tcpdump -i eth0 -w capture.pcap > /dev/null 2>&1 &

# Monitor long-running capture
watch -n 5 'ls -lh capture.pcap'

Troubleshooting

# Check available interfaces
tcpdump -D

# Test filter syntax
tcpdump -i eth0 -n '(port 80)' -w /dev/null

# Verbose debug output
tcpdump -d 'host 192.168.1.100'

# Check packet count without capturing
tcpdump -i eth0 -c 0 port 80

# Verify permissions
sudo -l | grep tcpdump

# Check if tcpdump is running
ps aux | grep tcpdump

Best Practices

  • Use filters to reduce noise and focus on relevant traffic
  • Include snap length for manageable file sizes
  • Capture to file rather than displaying for high traffic
  • Use -n flag to avoid DNS lookups (faster)
  • Remove sensitive data from captures before sharing
  • Archive captures with timestamps for historical analysis
  • Use -w flag to preserve packet data exactly as captured
  • Combine with other tools (grep, awk) for post-processing
  • Monitor disk space when capturing continuously
  • Use appropriate snap length (32-96 bytes for headers, 65535 for full packets)

Last updated: 2026-03-30