Parent Category: Tutorials
Hits: 20440

Tcpdump is the most common packet sniffer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group.
Distributed under the BSD license,tcpdump is free software.
Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets.
Before I begin with advanced filters, let's review the basic syntax of tcpdump
Basic syntax :

The X option displays the packet in nice readable ASCII, as this snippet shows:
# tcpdump -X port 110
This email address is being protected from spambots. You need JavaScript enabled to view it... 
32:46(14) ack 70 win 5840 (DF)
Readable enough to verify that anyone snooping on our connection cannot capture logins and passwords. This snippet plainly shows the login and password in a clear text login
Filtering hosts :
- Match any traffic involving as destination or source
# tcpdump -i eth1 host
- As soure only
# tcpdump -i eth1 src host
- As destination only
# tcpdump -i eth1 dst host
Filtering ports :
- Match any traffic involving port 25 as source or destination
# tcpdump -i eth1 port 25
- Source
# tcpdump -i eth1 src port 25
- Destination
# tcpdump -i eth1 dst port 25
Network filtering :
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168
Protocol filtering :
# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp
Let's combine expressions :
Negation : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate : || or "or" 
- This rule will match any TCP traffic on port 80 (web) with or as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host or (dst host'
- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'
- Will match any traffic for the destination network 192.168 except destination host
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host'
Advanced header filtering :

Before we continue, we need to know how to filter out info from headers
proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z !=0 : some bits are set when applying mask z to proto[x:y]
proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z : p[x:y] has exactly the bits set to z
Operators : >, <, >=, <=, =, !=
This may not be clear in the first place but you'll find examples below involving these.
Of course, it is important to know what the protocol headers look like before diving into more advanced filters.
Here you have some usefull examples:
TOS debug:
tcpdump -i eth0 -nn ip[1]=0x60 where 0x60 is the TOS for SIP packets.


We use Hosting and VPS Hosting, from:

We like and trust them.

Good prices, high security.