tcpdump cheat sheet

Tcpdump cheat sheet

In another post, we have explained the Tcpdump command and its various usage.  The Tcpdump cheat sheet is the quick reference for taking captures with different filters.  The examples are short and easy to understand. Each cheat sheet command has a detailed example.

Capture Tcpdump ICMP:

Icmp (Internet control message protocol ), is a very common protocol for network troubleshooting.  Icmp uses IP protocol for delivering of protocol data to the peer.  In the IP network, every device has functionalities for handling and generating ICMP events.  If someone wants to see the events on the wire then there will need to capture the desired packets.  Tcpdump command has the option where you can specify the ICMP as a filter for capture

[[email protected]]# tcpdump -i any icmp

Here we have captured on all interface on a Linux machine, you can specify only the desired interface.  Next is how we can test if Tcpdump ICMP is working? There is a message called ECHO request and answer which the ICMP provides.  From Windows (OS) cmd type the “ping ip_addres”. The IP address is the address of the Linux machine on which the Tcpdump command is running.

You will see the following on the Linux terminal.

17:43:10.794761 IP > CentOs7-181: ICMP echo request, id 1, seq 813, length 40
17:43:10.794826 IP CentOs7-181 > ICMP echo reply, id 1, seq 813, length 40
17:43:11.891571 IP > CentOs7-181: ICMP echo request, id 1, seq 814, length 40
17:43:11.891629 IP CentOs7-181 > ICMP echo reply, id 1, seq 814, length 40
17:43:12.987568 IP > CentOs7-181: ICMP echo request, id 1, seq 815, length 40
17:43:12.987624 IP CentOs7-181 > ICMP echo reply, id 1, seq 815, length 40
17:43:14.098963 IP > CentOs7-181: ICMP echo request, id 1, seq 816, length 40
17:43:14.098987 IP CentOs7-181 > ICMP echo reply, id 1, seq 816, length 40

ICMP has many messages ECHO is one of them. May be one wants to capture only the ECHO packet. This reduces the size of capture and easy to analyze packets in Wireshark from a captured file. Following is the command.

[[email protected]]# tcpdump -i any icmp[icmptype] == 8

Here 8 is the numeric value for the ECHO message type.

Tcpdump port: 

Example command captures network packets on a particular port.  Following example captures the packets on port 5060

# tcpdump port 5060

The above just captures on a single port, for multiple ports following is the command

# tcpdump port 5060 or port 5061 or port 5062

If there are multiple ports (e.g 100) then the above command is difficult to use. Especially when ports are in a range. Following is the command for capturing packets for a port range.

# tcpdump portrange 5060-5062

For destination port 

#tcpdump -iany dst port 5060

For source port 

#tcpdump -iany dst port 5060

Tcpdump IP filter:

For an IP address only. The IP can be either source or destination Ip.

#tcpdump host

For capturing on for multiple IP addresses.

#tcpdump host or

Tcpdump command for capturing from a particular source IP.

# tcpdump -iany src host 192.168.2,100

For a destination IP filter.

#tcpdump -iany dst host

Above is an example of a single IP filter. There are situations when you need to capture a range of IP addresses. Here comes the filter for the sub netmask. A subnet mask identifies the network id and reserve bits for host id.  The example for the sub netmask is, this says that 24 bits are for network id and renaming for host id.  The following example captures where the source or destination IP have network id 192.168.3,

#tcpdump -any net

For source only
#tcpdump -n src net

For destination only
#tcpdump -n dst net

Capture on the limited number of packets. For example, the number is N.

#tcpdump -c N

After N number of packets Tcpdump will stop. This is useful when you want to capture a few initial packets.

Read packets bigger than from a fixed size (N):

# tcpdump greater N

The above commands capture packets that are greater than N number of bytes in size.


Leave a Comment