# TCPDump Examples ## General Commands

Commands	Description
`tcpdump -xx -r [pcapfile]`	Shows ASCII and hex from a file
`tcpdump -i [interface]`	Capture on interface

## Simple

Command	Description
`ether`	Matches Ethernet headers.
`arp`	Matches ARP packets.
`icmp`	Matches ICMP packets.
`ip`	Matches IPv4 packets.
`ip6`	Matches IPv6 packets.
`tcp`	Matches TCP packets.
`udp`	Matches UDP packets.
`host 192.168.1.1`	Matches packets arriving to or departing from the specified IP address.
`net 192.168.1.0/24`	Matches packets arriving to or departing from the specified network.
`tcp port 22`	Matches packets arriving to or departing from TCP port 22.
`port 53`	Matches packets arriving to or departing from TCP or UDP port 53.
`dst host 192.168.1.1`	Matches packets arriving to the specified IP address.
`dst net 192.168.1.0/24`	Matches packets arriving to the specified network.
`tcp dst port 22`	Matches packets arriving to TCP port 22.
`src host 192.168.1.1`	Matches packets departing from the specified IP address.
`src net 192.168.1.0/24`	Matches packets departing from the specified network.
`tcp src port 22`	Matches packets departing from TCP port 22.
`tcp[tcpflags] = tcp-ack`	Matches TCP packets with the ACK flag set.
`'icmp[icmptype] = icmp-echo'`	Matches ICMP echo-request packets.
`'icmp[icmptype] = icmp-reply'`	Matches ICMP echo-reply packets.

## Complex Traffic between 192.168.1.1 and either 10.1.1.1 or 10.1.1.2: ```bash host 192.168.1.1 and \( 10.1.1.1 or 10.1.1.2 \) ``` All IP packets between 10.1.1.1 and any host except 10.1.1.2: ```bash ip host 10.1.1.1 and not 10.1.1.2 ``` All traffic between local hosts and hosts at Berkeley: ```bash net ucb-ether ``` All ftp traffic through internet gateway 192.168.1.1: ```bash 'gateway 192.168.1.1 and (port ftp or ftp-data)' ``` No traffic TO or FROM local network: ```bash ip and not net localnet ``` The start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host: ```bash 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' ``` TCP packets with flags RST and ACK both set. (i.e. select only the RST and ACK flags in the flags field, and if the result is "RST and ACK both set", match): ```bash 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)' ``` All IPv4 HTTP packets to and from port 80. Prints only packets that contain data: ```bash 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' ``` IP packets longer than 576 bytes sent through gateway 192.168.1.1: ```bash 'gateway 192.168.1.1 and ip[2:2] > 576' ``` IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast: ```bash 'ether[0] & 1 = 0 and ip[16] >= 224' ``` All ICMP packets that are not echo requests/replies (i.e., not ping packets): ```bash 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' ``` ## Specific Examples HTTP traffic: ```bash tcp[2:2]=80||tcp[0:2]=80 ``` TELNET traffic: ```bash tcp[2:2]=23 || tcp[0:2]=23 ``` ARP traffic: ```bash ether[12:2]=0x0806 ``` IPv4 packets relating to DNS: ```bash tcp[0:2]=53 || tcp[2:2]=53 || udp[0:2]=53 || udp[2:2]=53 ``` IP packets with a TTL of 64 or less: ```bash ip[8]<=64 || ip6[7]<=64 ``` IPv4 packets with at least the Dont Fragment Bitset: ```bash ip[6] & 64 = 64 ``` Source Port higher than 1024, using Transport Layer headers: ```bash tcp[0:2]>1024 || udp[0:2]>1024 ``` UDP packets, utilizing the IPv4 or IPv6 Headers: ```bash ip[9]=17 || ip6[6]=17 ``` ACK/RST or ACK/FIN flag set, utilizing the correct Transport Layer Header: ```bash tcp[13] = 20 || tcp[13]=17 ``` IP ID field of 213: ```bash ip[4:2]=213 ``` VLAN tags: ```bash ether[12:2]=0x8100 ``` Initial packets from a client initiating a TCP connection: ```bash tcp[13]=2 ``` RESPONSE packets from a server listening on an open TCP port: ```bash tcp[13]=18 ``` RESPONSE packets from a server with closed TCP ports: ```bash tcp[13]=4 ``` TCP and UDP packets sent to well known ports: ```bash tcp[2:2]<=1023 || udp[2:2]<=1023 ``` Evil bit is set: ```bash ip[6]=128 ``` CHAOS protocol within an IPv4 header: ```bash ip[9]=16 ``` DSCP field of 37, IP packets: ```bash ip[1] >> 2 = 37 ``` URG flag is not set and URG pointer has a value: ```bash tcp[13]!=32 && tcp[18:2]>0 tcp[13]&32=0&&tcp[18:2]!=0 ``` TCP null scan to the host 10.10.10.10: ```bash ip[16:4]=0x0a0a0a0a && tcp[13]=0 ``` Attacker using VLAN hopping to move from vlan 1 to vlan 10: ```bash ether[12:4]& 0xFFFF0FFF = 0x81000001 && ether[16:4]& 0xFFFF0FFF = 0x8100000a ``` IPv4 packets targeting just the beginning of potential traceroutes as it's entering your network. This can be from a Windows or Linux machine using their default settings. Understan the default carrier protocols used by Windows vs Linux: ```bash (ip[9]=1 && ip[8]=1) || (ip[9]=17 && ip[8]=1) (ip[8]=1&&ip[9]=1)||(ip[8]=1&&ip[9]=17) ``` ## Ethernet Header ```bash Ether Type Type of Traffic 0x0800 IPv4 0x0806 ARP 0x86DD IPv6 0x8100 VLAN Tag ``` Destination MAC (read first 4 bytes then last 2). Although possible with BPF's its recommended to use primatives: ```bash 'ether[0:4] & 0xFFFFFFFF && ether[4:2] = 0xFFFF' ``` OUI part of the MAC (reads first 4 bytes but ignores value in 4th byte): ```bash 'ether[0:4] & 0xFFFFFF00 = 0xFFFFFFFF' ``` Source MAC (read first 4 bytes then last 2) Although possibel with BPF's its recommended to use primatives: ```bash 'ether[6:4] & 0xFFFFFFFF && ether[10:2] = 0xFFFF' ``` Ether-Type field (Here you will specify the Hex Ethertype you are searching for) ```bash ether[12:2] = 0x800 ``` ```bash 'ether[0:4] = 0xfa163ef0 && ether[4:2] = 0xcafc' 'ether[0] & 0x01 = 0x01 || ether[6] & 0x01 = 0x01' 'ether[0] & 0x01 = 0x00 || ether[6] & 0x01 = 0x00' 'ether[0] & 0x02 = 0x02 || ether[6] & 0x02 = 0x02' 'ether[0] & 0x02 = 0x00 || ether[6] & 0x02 = 0x00' 'ether[6:4] = 0xffffffff && ether[10:2] = 0xffff' 'ether[12:2] = 0x0800 || ether[12:2] = 0x0806 || ether[12:2] = 0x86dd' ``` ## VLAN Header VLAN Ether type and then the VLAN Tag. `xxx` will be the VLAN number in Hex. This will search for 0x8100 (VLAN Tag) Ethertype. Then search for the 12-bit VLAN number in Hex or Decimal. This will ignore the 4-bit PCP/DEI field. ```bash 'ether[12:2] = 0x8100 && ether[14:2] & 0x0fff = 0x0xxx' ``` VLAN ID and Tag (at same time) `xxx` will be the VLAN number in Hex. This will perform the same task as above. This only combines the search fields. It masks the E-type field and VLAN ID field while ignoring the PCP/DEI field. ```bash 'ether[12:4] & 0xffff0fff = 0x81000xxx' ``` Encapsulated VLAN frames that carey either IPv4, ARP, or IPv6 traffic. {% code overflow="wrap" %} ```bash 'ether[12:2] = 0x8100 && (ether[16:2] = 0x0800 || ether[16:2] = 0x0806 || ether[16:2] = 0x86dd)' ``` {% endcode %} Double Tagged: ```bash 'ether[12:4] & 0xffff0fff = 0x81000001 && ether[16:4] & 0xffff0fff = 0x81000064' ``` ## ARP Header

Command	Description
`arp[0:2] =`	Hardware Type
`arp[2:2] =`	Protocol Type
`arp[4] =`	Hardware Length
`arp[5] =`	Protocol Length
`arp[6:2] =`	Opcode
`arp[16:4] =`	Sender IP
`arp[24:4] =`	Destination IP
`'arp[8:4] & 0xFFFFFFFF && arp[12:2] = 0xFFFF'`	Sender MAC (read first 4 bytes then last 2)
`'arp[18:4] & 0xFFFFFFFF && arp[22:2] = 0xFFFF'`	Destination MAC (read first 4 bytes then last 2)

## IPv4 Header ### All Fields

Command	Description
`ip[0] & 0xf0 =`	IP version (hex)
`ip[0] & 240 =`	IP Version (decimal)
`ip[0] 0x0f =`	Header Length in 4 octet words. Should be 5. (Hex)
`ip[0] & 15 =`	Header Length in 4 octet words. Should be 5. (Decimal)
`ip[1] =`	Type of Service (TOS)
`ip[1] & 0xfc =`	DSCP field only (Hex)
`ip[1] & 252 =`	DSCP field only (Decimal)
`ip[1] & 0x03 =`	ECN field only. (Hex)
`ip[1] & 3 =`	ECN field only. (Decimal)
`ip[2:2] =`	Total length of datagram in octets.
`ip[4:2] =`	IP ID number
`ip[6] & 0xE0 =`	Entire 3-bit flag field (RES, DF, MF). (Hex)
`ip[6] & 224 =`	Entire 3-bit flag field (RES, DF, MF). (Decimal)
`ip[6] & 0x80 =`	Reserved bit only (Hex)
`ip[6] & 128 =`	Reserved bit only (Decimal)
`ip[6] & 0x40 =`	Don't Fragment (DF) flag only. (Hex)
`ip[6] & 64 =`	Don't Fragment (DF) flag only. (Decimal)
`ip[6] & 0x20 =`	MF flag only (Hex)
`ip[6] & 32 =`	MF flag only (Decimal)
`ip[6:2] & 0x1FFF =`	Fragment Offset field (Hex)
`ip[6:2] & 8191 =`	Fragment Offset field (Decimal)
`ip[6:2] =`	Entire Flags and Fragment Offset field
`ip[8] =`	TTL
`ip[9] =`	Protocol
`ip[10:2] =`	Header Checksum
`ip[12:4] =`	Source IP (Should be expressed in Hex)
`ip[16:4] =`	Destination IP (Should be expressed in Hex)
`ip[20..60] =`	If any options.

### Flag Bits

Command	Description
`'ip[6] = 128'`	Byte 6 can ONLY have the RES bit on. No other bits can be set.
`'ip[6] = 64'`	Byte 6 can ONLY have the DF bit on. No other bits can be set.
`'ip[6] = 32'`	Byte 6 can ONLY have the MF bit on. No other bits can be set.

The high 3 bits of byte 6 are checked. The remaining 5 bits are not checked. High 3 bits can only have the DF bit set. Other 2 bits MUST be off. Remaining 5 bits are ignored. ```bash 'ip[6] & 0xE0 = 0x40' 'ip[6] & 224 = 64' ``` The high 3 bits of byte 6 are checked. The remaining 5 bits are not checked. High 3 bits can only have the MF bit set. Other 2 bits MUST be off. Remaining 5 bits are ignored. ```bash 'ip[6] & 0xE0 = 0x20' 'ip[6] & 224 = 32' ``` Only the RES bit is checked and MUST be ON. All other bits in byte 6 are ignored. ```bash 'ip[6] & 0x80 = 0x80' 'ip[6] & 128 = 128' ``` Only the RES bit is checked and MUST be OFF. All other bits in byte 6 are ignored. ```bash 'ip[6] & 0x80 = 0x0' 'ip[6] & 128 = 0' ``` Only the DF bit is checked and MUST be ON. All other bits in byte 6 are ignored. ```bash 'ip[6] & 0x40 = 0x40' 'ip[6] & 64 = 64' ``` Only the DF bit is checked and MUST be OFF. All other bits in byte 6 are ignored. ```bash 'ip[6] & 0x40 = 0x0' 'ip[6] & 64 = 0' ``` Only the MF bit is checked and MUST be ON. All other bits in byte 6 are ignored. ```bash 'ip[6] & 0x20 = 0x20' 'ip[6] & 32 = 32' ``` Only the MF bit is checked and MUST be OFF. All other bits in byte 6 are ignored. ```bash 'ip[6] & 0x20 = 0x0' 'ip[6] & 32 = 0' ``` ### TTLs #### Default TTL's: Windows = 128 Linux = 64 Cisco = 255 ```bash ip[8] = 255 ip[8] < 255 ip[8] <= 255 ip[8] <= 64 || ip[8] > 40' ip[8] <= 128 || ip[8] > 100' ``` ### Protocols ICMPv4 = 0x01 or 1 TCP = 0x06 or 6 UDP = 0x11 or 17 For more, see IANA protocol numbers | `'ip[9] = 0x01'` | ICMPv4 | | --------------------------------------------------- | ------ | | `'ip[9] = 0x06'` | TCP | | `'ip[9] = 0x11'` | UDP | ```bash 'ip[9] = 1 || ip[9] = 6 || ip[9] = 17' ``` ### Source/Destination IPs

Command	Description
`'ip[12:4] = 0x0a0a0a0a'`	Source IP
`'ip[16:4] = 0x0a0a0a0a'`	Destination IP
`'ip[12:4] = 0x0a0a0a0a \|\| ip[16:4] = 0x0a0a0a0a'`	Both

### IP Version and Header Length (IHL) ```bash 'ip[0] = 0x45' 'ip[0] & 0xf0= 0x40' 'ip[0] & 0x0f= 0x05' 'ip[0] & 0x0f > 0x05' 'ip[0] & 15 > 5' ``` ### All with MF (More Flags) Flag Set OR Has An Offset Value Greater Than Zero ```bash 'ip[6] & 0x20 = 0x20 || ip[6:2] & 0x1fff > 0' 'ip[6] & 32 = 32 || ip[6:2] & 8191 > 0' 'ip[6:2] & 0x1fff = 999' ``` ## IPv6 Header ### All

Command	Description
`ip6[0] & 0xf0 =`	IP version (Hex)
`ip6[0] & 240 =`	IP version (Decimal)
`ip6[0:2] & 0x0ff0 =`	Traffic Class Field
`ip6[0:4] & 0x000fffff =`	Flow Label Field
`ip6[4:2] =`	Payload length
`ip6[6] =`	Next Header
`ip6[7] =`	Hop limit (TTL)

### Next Header ```bash ip6[6] = 0x3a ip6[6] = 0x06 ip6[6] = 0x11 ``` ```bash 'ip6[6] = 0x06 || ip6[6] = 0x11' ``` ### Hop Limit (TTL) ```bash ip6[7] = 255 ``` ## ICMP Header

Command	Description
`icmp[0] =`	ICMP type
`icmp[1] =`	ICMP code
`icmp[2:2] =`	Checksum
`icmp[4...] =`	Payload

```bash 'icmp[0] = 0 || icmp[0]=8' 'icmp[0]=3 && icmp[1]=3' ``` Notable control messages: ## TCP Header ### All

Command	Description
`tcp[0:2] =`	16-bit Source Port
`tcp[2:2] =`	16-bit Destination Port
`tcp[4:4] =`	32-bit Sequence Number
`tcp[8:4] =`	32-bit Ack Number
`tcp[12] =`	Header Length
`tcp[13] =`	Whole TCP Flags Field
`tcp[13] & 0x80 =`	CWR bit only (Hex)
`tcp[13] & 128 =`	CWR bit only (Decimal)
`tcp[13] & 0x40 =`	ECE bit only (Hex)
`tcp[13] & 64 =`	ECE bit only (Decimal)
`tcp[13] & 0x20 =`	URG bit only (Hex)
`tcp[13] & 32 =`	URG bit only (Decimal)
`tcp[13] & 0x10 =`	ACK bit only (Hex)
`tcp[13] & 16 =`	ACK bit only (Decimal)
`tcp[13] & 0x08 =`	PSH bit only (Hex)
`tcp[13] & 8 =`	PSH bit only (Decimal)
`tcp[13] & 0x04 =`	RST bit only (Hex)
`tcp[13] & 4=`	RST bit only (Decimal)
`tcp[13] & 0x02 =`	SYN bit only (Hex)
`tcp[13] & 2 =`	SYN bit only (Decimal)
`tcp[13] & 0x01 =`	FIN bit only (Hex)
`tcp[13] & 1 =`	FIN bit only (Decimal)
`tcp[14:2] =`	Window Size
`tcp[16:2] =`	Checksum
`tcp[18:2] =`	Urgent Pointer
`tcp[20...60] =`	Options or data (if any)

### Flags ```bash 128 64 32 16 8 4 2 1 CWR ECE URG ACK PSH RST SYN FIN ``` ### Examples: #### Very Specific: Only packets with the ACK+PSH flags set and NO other flags. ```bash tcp[13] = 24 ``` #### Less Specific: Any packets with the ACK+PSH flags set and other flags are ignored. ```bash tcp [13] & 24 = 24 ``` Any packets with the ACK flags set and the PSH flag not set. Other flags are ignored. ```bash tcp [13] & 24 = 16 ``` #### Least Specific: Packets that have the ACK and/or PSH set but NOT both off. Other flags are ignored. ```bash tcp[13] & 24 !=0 ``` ### Window Sizes

Operating system		TTL		TCP Window Size
Linux (Kernel 2.4 and 2.6)	64		5840
Google Linux			64		5720
FreeBSD				64		65535
Win XP			        128 	        65535
Win Vista and 7 (Server 2008) 	128		8192
iOS 12.4 (Cisco Routers)	255		4128

## UDP Header

Command	Description
`udp[0:2] =`	16-bit source port (Specify in Hex or Decimal)
`udp[2:2] =`	16-bit destination port (Specify in Hex or Decimal)
`udp[4:2] =`	Datagram Length
`udp[6:2] =`	UDP Checksum
`'udp[0:2]=69'`	Source Port
`'udp[2:2]=69'`	Destination Port
`'udp[0:2] = 53 \|\| udp[2:2]=53'`	Source OR Dest Port
`'ip[6:2] & 0x3fff != 0'`	UDP Checksum

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.shellspells.net/network/packet-capture/tcpdump-examples.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.