1. Capture packets from a particular ethernet interface using tcpdump -i
When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface.
$ tcpdump -i eth1
2. Capture only N number of packets using tcpdump -c
When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.
$ tcpdump -c 2 -i eth0
3. Display Captured Packets in ASCII using tcpdump -A
The following tcpdump syntax prints the packet in ASCII.
$ tcpdump -A -i eth0
4. Display Captured Packets in HEX and ASCII using tcpdump -XX
Some users might want to analyse the packets in hex values. tcpdump provides a way to print packets in both ASCII and HEX format.
$tcpdump -XX -i eth0
5. Capture the packets and write into a file using tcpdump -w
tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.
$ tcpdump -w 08232010.pcap -i eth0
6. Reading the packets from a saved file using tcpdump -r
You can read the captured pcap file and view the packets for analysis, as shown below.
$tcpdump -tttt -r data.pcap
7. Capture packets with IP address using tcpdump -n
In all the above examples, it prints packets with the DNS address, but not the ip address. The following example captures the packets and it will display the IP address of the machines involved.
$ tcpdump -n -i eth0
8. Capture packets with proper readable timestamp using tcpdump -tttt
$ tcpdump -n -tttt -i eth0
9. Read packets longer than N bytes
You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command
$ tcpdump -w g_1024.pcap greater 1024
10. Receive only the packets of a specific protocol type
You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interface.
$ tcpdump -i eth0 arp
11. Read packets lesser than N bytes
You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command
$ tcpdump -w l_1024.pcap less 1024
12. Receive packets flows on a particular port using tcpdump port
If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.
$ tcpdump -i eth0 port 22
13. Capture packets for particular destination IP and Port
The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth0, with a particular destination ip and port number 22.
$ tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22
14. Capture TCP communication packets between two hosts
If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.
$tcpdump -w comm.pcap -i eth0 dst 16.181.170.246 and port 22
15. tcpdump Filter Packets – Capture all the packets other than arp and rarp
In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.
$ tcpdump -i eth0 not arp and not rarp
