Tcpdump is the most common packet sniffer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group.

Distributed under the BSD license,tcpdump is free software.

Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets.

Before I begin with advanced filters, let's review the basic syntax of tcpdump

Basic syntax :

The X option displays the packet in nice readable ASCII, as this snippet shows:

# tcpdump -X port 110

E8.....n.....V%.

P...T...USER.car

This email address is being protected from spambots. You need JavaScript enabled to view it... 

32:46(14) ack 70 win 5840 (DF)

E..6..@.@..x....

E8.....n...".V&.

P...n...PASS.mgY6Rf9W..

Readable enough to verify that anyone snooping on our connection cannot capture logins and passwords. This snippet plainly shows the login and password in a clear text login

Filtering hosts :

-----------------

- Match any traffic involving 192.168.1.1 as destination or source

# tcpdump -i eth1 host 192.168.1.1

- As soure only

# tcpdump -i eth1 src host 192.168.1.1

- As destination only

# tcpdump -i eth1 dst host 192.168.1.1

Filtering ports :

-----------------

- Match any traffic involving port 25 as source or destination

# tcpdump -i eth1 port 25

- Source

# tcpdump -i eth1 src port 25

- Destination

# tcpdump -i eth1 dst port 25

Network filtering :

-------------------

# tcpdump -i eth1 net 192.168

# tcpdump -i eth1 src net 192.168

# tcpdump -i eth1 dst net 192.168

Protocol filtering :

--------------------

# tcpdump -i eth1 arp

# tcpdump -i eth1 ip

# tcpdump -i eth1 tcp

# tcpdump -i eth1 udp

# tcpdump -i eth1 icmp

Let's combine expressions :

---------------------------

Negation : ! or "not" (without the quotes)

Concatanate : && or "and"

Alternate : || or "or" 

- This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host

# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05

# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200

# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'

Advanced header filtering :

Before we continue, we need to know how to filter out info from headers

proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)

proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]

proto[x:y] & z !=0 : some bits are set when applying mask z to proto[x:y]

proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]

proto[x:y] = z : p[x:y] has exactly the bits set to z

Operators : >, <, >=, <=, =, !=

This may not be clear in the first place but you'll find examples below involving these.

Of course, it is important to know what the protocol headers look like before diving into more advanced filters.

Here you have some usefull examples:

TOS debug:

tcpdump -i eth0 -nn ip[1]=0x60 where 0x60 is the TOS for SIP packets.

Note: We use Hosting and VPS Hosting, from: www.star-host.org We like and trust them. Good prices, high security.