TCPDump Examples

General Commands

Simple

Complex

Traffic between 192.168.1.1 and either 10.1.1.1 or 10.1.1.2:

host 192.168.1.1 and \( 10.1.1.1 or 10.1.1.2 \)

All IP packets between 10.1.1.1 and any host except 10.1.1.2:

ip host 10.1.1.1 and not 10.1.1.2

All traffic between local hosts and hosts at Berkeley:

net ucb-ether

All ftp traffic through internet gateway 192.168.1.1:

'gateway 192.168.1.1 and (port ftp or ftp-data)'

No traffic TO or FROM local network:

ip and not net localnet

The start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host:

'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

TCP packets with flags RST and ACK both set. (i.e. select only the RST and ACK flags in the flags field, and if the result is "RST and ACK both set", match):

'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'

All IPv4 HTTP packets to and from port 80. Prints only packets that contain data:

'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

IP packets longer than 576 bytes sent through gateway 192.168.1.1:

'gateway 192.168.1.1 and ip[2:2] > 576'

IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

'ether[0] & 1 = 0 and ip[16] >= 224'

All ICMP packets that are not echo requests/replies (i.e., not ping packets):

'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Specific Examples

HTTP traffic:

tcp[2:2]=80||tcp[0:2]=80

TELNET traffic:

tcp[2:2]=23 || tcp[0:2]=23

ARP traffic:

ether[12:2]=0x0806

IPv4 packets relating to DNS:

tcp[0:2]=53 || tcp[2:2]=53 || udp[0:2]=53 || udp[2:2]=53

IP packets with a TTL of 64 or less:

ip[8]<=64 || ip6[7]<=64

IPv4 packets with at least the Dont Fragment Bitset:

ip[6] & 64 = 64

Source Port higher than 1024, using Transport Layer headers:

tcp[0:2]>1024 || udp[0:2]>1024	

UDP packets, utilizing the IPv4 or IPv6 Headers:

ip[9]=17 || ip6[6]=17	

ACK/RST or ACK/FIN flag set, utilizing the correct Transport Layer Header:

tcp[13] = 20 || tcp[13]=17

IP ID field of 213:

ip[4:2]=213

VLAN tags:

ether[12:2]=0x8100

Initial packets from a client initiating a TCP connection:

tcp[13]=2

RESPONSE packets from a server listening on an open TCP port:

tcp[13]=18

RESPONSE packets from a server with closed TCP ports:

tcp[13]=4

TCP and UDP packets sent to well known ports:

tcp[2:2]<=1023 || udp[2:2]<=1023

Evil bit is set:

ip[6]=128

CHAOS protocol within an IPv4 header:

ip[9]=16

DSCP field of 37, IP packets:

ip[1] >> 2 = 37

URG flag is not set and URG pointer has a value:

tcp[13]!=32 && tcp[18:2]>0
tcp[13]&32=0&&tcp[18:2]!=0

TCP null scan to the host 10.10.10.10:

ip[16:4]=0x0a0a0a0a && tcp[13]=0

Attacker using VLAN hopping to move from vlan 1 to vlan 10:

ether[12:4]& 0xFFFF0FFF = 0x81000001 && ether[16:4]& 0xFFFF0FFF = 0x8100000a

IPv4 packets targeting just the beginning of potential traceroutes as it's entering your network.

This can be from a Windows or Linux machine using their default settings.

Understan the default carrier protocols used by Windows vs Linux:

(ip[9]=1 && ip[8]=1) || (ip[9]=17 && ip[8]=1)
(ip[8]=1&&ip[9]=1)||(ip[8]=1&&ip[9]=17)

Ethernet Header

Ether Type 	Type of Traffic
0x0800		IPv4
0x0806		ARP
0x86DD 		IPv6
0x8100		VLAN Tag

Destination MAC (read first 4 bytes then last 2). Although possible with BPF's its recommended to use primatives:

'ether[0:4] & 0xFFFFFFFF && ether[4:2] = 0xFFFF' 

OUI part of the MAC (reads first 4 bytes but ignores value in 4th byte):

'ether[0:4] & 0xFFFFFF00 = 0xFFFFFFFF' 

Source MAC (read first 4 bytes then last 2) Although possibel with BPF's its recommended to use primatives:

'ether[6:4] & 0xFFFFFFFF && ether[10:2] = 0xFFFF'

Ether-Type field (Here you will specify the Hex Ethertype you are searching for)

ether[12:2] = 0x800

'ether[0:4] = 0xfa163ef0 && ether[4:2] = 0xcafc'
'ether[0] & 0x01 = 0x01 || ether[6] & 0x01 = 0x01'
'ether[0] & 0x01 = 0x00 || ether[6] & 0x01 = 0x00'
'ether[0] & 0x02 = 0x02 || ether[6] & 0x02 = 0x02'
'ether[0] & 0x02 = 0x00 || ether[6] & 0x02 = 0x00'
'ether[6:4] = 0xffffffff && ether[10:2] = 0xffff'
'ether[12:2] = 0x0800 || ether[12:2] = 0x0806 || ether[12:2] = 0x86dd'

VLAN Header

VLAN Ether type and then the VLAN Tag. xxx will be the VLAN number in Hex.

This will search for 0x8100 (VLAN Tag) Ethertype.

Then search for the 12-bit VLAN number in Hex or Decimal.

This will ignore the 4-bit PCP/DEI field.

'ether[12:2] = 0x8100 && ether[14:2] & 0x0fff = 0x0xxx'

VLAN ID and Tag (at same time) xxx will be the VLAN number in Hex.

This will perform the same task as above. This only combines the search fields.

It masks the E-type field and VLAN ID field while ignoring the PCP/DEI field.

'ether[12:4] & 0xffff0fff = 0x81000xxx'

Encapsulated VLAN frames that carey either IPv4, ARP, or IPv6 traffic.

'ether[12:2] = 0x8100 && (ether[16:2] = 0x0800 || ether[16:2] = 0x0806 || ether[16:2] = 0x86dd)'

Double Tagged:

'ether[12:4] & 0xffff0fff = 0x81000001 && ether[16:4] & 0xffff0fff = 0x81000064'

ARP Header

IPv4 Header

All Fields

Flag Bits

The high 3 bits of byte 6 are checked. The remaining 5 bits are not checked.

High 3 bits can only have the DF bit set. Other 2 bits MUST be off. Remaining 5 bits are ignored.

'ip[6] & 0xE0 = 0x40'
'ip[6] & 224 = 64'	

The high 3 bits of byte 6 are checked. The remaining 5 bits are not checked.

High 3 bits can only have the MF bit set. Other 2 bits MUST be off. Remaining 5 bits are ignored.

'ip[6] & 0xE0 = 0x20'
'ip[6] & 224 = 32'	

Only the RES bit is checked and MUST be ON. All other bits in byte 6 are ignored.

'ip[6] & 0x80 = 0x80'
'ip[6] & 128 = 128'	

Only the RES bit is checked and MUST be OFF. All other bits in byte 6 are ignored.

'ip[6] & 0x80 = 0x0'
'ip[6] & 128 = 0'	

Only the DF bit is checked and MUST be ON. All other bits in byte 6 are ignored.

'ip[6] & 0x40 = 0x40'
'ip[6] & 64 = 64'	

Only the DF bit is checked and MUST be OFF. All other bits in byte 6 are ignored.

'ip[6] & 0x40 = 0x0'
'ip[6] & 64 = 0'	

Only the MF bit is checked and MUST be ON. All other bits in byte 6 are ignored.

'ip[6] & 0x20 = 0x20'
'ip[6] & 32 = 32'	

Only the MF bit is checked and MUST be OFF. All other bits in byte 6 are ignored.

'ip[6] & 0x20 = 0x0'
'ip[6] & 32 = 0'	

TTLs

Default TTL's:

Windows = 128

Linux = 64

Cisco = 255

ip[8] = 255
ip[8] < 255
ip[8] <= 255
ip[8] <= 64 || ip[8] > 40'
ip[8] <= 128 || ip[8] > 100'

Protocols

ICMPv4 = 0x01 or 1

TCP = 0x06 or 6

UDP = 0x11 or 17

For more, see IANA protocol numbers

'ip[9] = 1 || ip[9] = 6 || ip[9] = 17' 	

Source/Destination IPs

IP Version and Header Length (IHL)

'ip[0] = 0x45'
'ip[0] & 0xf0= 0x40'
'ip[0] & 0x0f= 0x05'
'ip[0] & 0x0f > 0x05'
'ip[0] & 15 > 5'

All with MF (More Flags) Flag Set OR Has An Offset Value Greater Than Zero

'ip[6] & 0x20 = 0x20 || ip[6:2] & 0x1fff > 0'
'ip[6] & 32 = 32 || ip[6:2] & 8191 > 0'
'ip[6:2] & 0x1fff = 999'

IPv6 Header

All

Next Header

ip6[6] = 0x3a
ip6[6] = 0x06
ip6[6] = 0x11

'ip6[6] = 0x06 || ip6[6] = 0x11'

Hop Limit (TTL)

ip6[7] = 255

ICMP Header

'icmp[0] = 0 || icmp[0]=8'
'icmp[0]=3 && icmp[1]=3'

Notable control messages: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

TCP Header

All

Flags

128	64	32	16	8	4	2	1
CWR	ECE	URG	ACK	PSH	RST	SYN	FIN

Examples:

Very Specific:

Only packets with the ACK+PSH flags set and NO other flags.

tcp[13] = 24

Less Specific:

Any packets with the ACK+PSH flags set and other flags are ignored.

tcp [13] & 24 = 24

Any packets with the ACK flags set and the PSH flag not set. Other flags are ignored.

tcp [13] & 24 = 16

Least Specific:

Packets that have the ACK and/or PSH set but NOT both off. Other flags are ignored.

tcp[13] & 24 !=0

Window Sizes

Operating system		TTL		TCP Window Size
Linux (Kernel 2.4 and 2.6)	64		5840
Google Linux			64		5720
FreeBSD				64		65535
Win XP			        128 	        65535
Win Vista and 7 (Server 2008) 	128		8192
iOS 12.4 (Cisco Routers)	255		4128

UDP Header