Tcpdump examples

Basic Packet Capture

tcpdump -i eth0

This captures and displays packets on interface eth0.

Capture Packets from a Specific Port

tcpdump -i eth0 port 80

This captures packets on port 80 (HTTP traffic) on eth0.

Capture Packets with a Specific Host as Source or Destination

tcpdump -i eth0 host 192.168.1.100

This captures packets either from or to host 192.168.1.100 on eth0.

Capture DNS Traffic

tcpdump -i eth0 port 53

This captures DNS traffic on eth0.

Capture ICMP (Ping) Packets

tcpdump -i eth0 icmp

This captures ICMP packets (ping requests and replies) on eth0.

Capture Traffic to or from a Specific IP and Port

tcpdump -i eth0 host 192.168.1.100 and port 22

This captures packets to or from host 192.168.1.100 on port 22 (SSH traffic) on eth0.

Capture a Specific Number of Packets

tcpdump -i eth0 -c 50

This captures and displays the first 50 packets on eth0 and then exits.

Capture Traffic from a Specific Network

tcpdump -i eth0 net 192.168.1.0/24

This captures traffic from the 192.168.1.0/24 network on eth0.

Capture Traffic Excluding a Specific Port

tcpdump -i eth0 not port 80

This captures all traffic on eth0 except for port 80 (HTTP).

Display Captured Packets in ASCII

tcpdump -i eth0 -A

This captures and displays packets on eth0 in ASCII format.

Capture Packets with a Specific Size

tcpdump -i eth0 greater 100

This captures packets on eth0 with a size greater than 100 bytes.

Capture Packets with Specific Flags (SYN, ACK, etc.)

tcpdump -i eth0 ‘tcp[13] & 2 != 0’

This captures TCP packets with the SYN flag set on eth0

Capture IPv6 Traffic

tcpdump -i eth0 ip6

This captures IPv6 traffic on eth0.