TCPDump Examples

General Commands

tcpdump -xx -r [pcapfile]

Shows ASCII and hex from a file

tcpdump -i [interface]

Capture on interface

Simple

ether

Matches Ethernet headers.

arp

Matches ARP packets.

icmp

Matches ICMP packets.

ip

Matches IPv4 packets.

ip6

Matches IPv6 packets.

tcp

Matches TCP packets.

udp

Matches UDP packets.

host 192.168.1.1

Matches packets arriving to or departing from the specified IP address.

net 192.168.1.0/24

Matches packets arriving to or departing from the specified network.

tcp port 22

Matches packets arriving to or departing from TCP port 22.

port 53

Matches packets arriving to or departing from TCP or UDP port 53.

dst host 192.168.1.1

Matches packets arriving to the specified IP address.

dst net 192.168.1.0/24

Matches packets arriving to the specified network.

tcp dst port 22

Matches packets arriving to TCP port 22.

src host 192.168.1.1

Matches packets departing from the specified IP address.

src net 192.168.1.0/24

Matches packets departing from the specified network.

tcp src port 22

Matches packets departing from TCP port 22.

tcp[tcpflags] = tcp-ack

Matches TCP packets with the ACK flag set.

'icmp[icmptype] = icmp-echo'

Matches ICMP echo-request packets.

'icmp[icmptype] = icmp-reply'

Matches ICMP echo-reply packets.

Complex

Traffic between 192.168.1.1 and either 10.1.1.1 or 10.1.1.2:

All IP packets between 10.1.1.1 and any host except 10.1.1.2:

All traffic between local hosts and hosts at Berkeley:

All ftp traffic through internet gateway 192.168.1.1:

No traffic TO or FROM local network:

The start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host:

TCP packets with flags RST and ACK both set. (i.e. select only the RST and ACK flags in the flags field, and if the result is "RST and ACK both set", match):

All IPv4 HTTP packets to and from port 80. Prints only packets that contain data:

IP packets longer than 576 bytes sent through gateway 192.168.1.1:

IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

All ICMP packets that are not echo requests/replies (i.e., not ping packets):

Specific Examples

HTTP traffic:

TELNET traffic:

ARP traffic:

IPv4 packets relating to DNS:

IP packets with a TTL of 64 or less:

IPv4 packets with at least the Dont Fragment Bitset:

Source Port higher than 1024, using Transport Layer headers:

UDP packets, utilizing the IPv4 or IPv6 Headers:

ACK/RST or ACK/FIN flag set, utilizing the correct Transport Layer Header:

IP ID field of 213:

VLAN tags:

Initial packets from a client initiating a TCP connection:

RESPONSE packets from a server listening on an open TCP port:

RESPONSE packets from a server with closed TCP ports:

TCP and UDP packets sent to well known ports:

Evil bit is set:

CHAOS protocol within an IPv4 header:

DSCP field of 37, IP packets:

URG flag is not set and URG pointer has a value:

TCP null scan to the host 10.10.10.10:

Attacker using VLAN hopping to move from vlan 1 to vlan 10:

IPv4 packets targeting just the beginning of potential traceroutes as it's entering your network.

This can be from a Windows or Linux machine using their default settings.

Understan the default carrier protocols used by Windows vs Linux:

Ethernet Header

Destination MAC (read first 4 bytes then last 2). Although possible with BPF's its recommended to use primatives:

OUI part of the MAC (reads first 4 bytes but ignores value in 4th byte):

Source MAC (read first 4 bytes then last 2) Although possibel with BPF's its recommended to use primatives:

Ether-Type field (Here you will specify the Hex Ethertype you are searching for)

VLAN Header

VLAN Ether type and then the VLAN Tag. xxx will be the VLAN number in Hex.

This will search for 0x8100 (VLAN Tag) Ethertype.

Then search for the 12-bit VLAN number in Hex or Decimal.

This will ignore the 4-bit PCP/DEI field.

VLAN ID and Tag (at same time) xxx will be the VLAN number in Hex.

This will perform the same task as above. This only combines the search fields.

It masks the E-type field and VLAN ID field while ignoring the PCP/DEI field.

Encapsulated VLAN frames that carey either IPv4, ARP, or IPv6 traffic.

Double Tagged:

ARP Header

arp[0:2] =

Hardware Type

arp[2:2] =

Protocol Type

arp[4] =

Hardware Length

arp[5] =

Protocol Length

arp[6:2] =

Opcode

arp[16:4] =

Sender IP

arp[24:4] =

Destination IP

'arp[8:4] & 0xFFFFFFFF && arp[12:2] = 0xFFFF'

Sender MAC (read first 4 bytes then last 2)

'arp[18:4] & 0xFFFFFFFF && arp[22:2] = 0xFFFF'

Destination MAC (read first 4 bytes then last 2)

IPv4 Header

All Fields

ip[0] & 0xf0 =

IP version (hex)

ip[0] & 240 =

IP Version (decimal)

ip[0] 0x0f =

Header Length in 4 octet words. Should be 5. (Hex)

ip[0] & 15 =

Header Length in 4 octet words. Should be 5. (Decimal)

ip[1] =

Type of Service (TOS)

ip[1] & 0xfc =

DSCP field only (Hex)

ip[1] & 252 =

DSCP field only (Decimal)

ip[1] & 0x03 =

ECN field only. (Hex)

ip[1] & 3 =

ECN field only. (Decimal)

ip[2:2] =

Total length of datagram in octets.

ip[4:2] =

IP ID number

ip[6] & 0xE0 =

Entire 3-bit flag field (RES, DF, MF). (Hex)

ip[6] & 224 =

Entire 3-bit flag field (RES, DF, MF). (Decimal)

ip[6] & 0x80 =

Reserved bit only (Hex)

ip[6] & 128 =

Reserved bit only (Decimal)

ip[6] & 0x40 =

Don't Fragment (DF) flag only. (Hex)

ip[6] & 64 =

Don't Fragment (DF) flag only. (Decimal)

ip[6] & 0x20 =

MF flag only (Hex)

ip[6] & 32 =

MF flag only (Decimal)

ip[6:2] & 0x1FFF =

Fragment Offset field (Hex)

ip[6:2] & 8191 =

Fragment Offset field (Decimal)

ip[6:2] =

Entire Flags and Fragment Offset field

ip[8] =

TTL

ip[9] =

Protocol

ip[10:2] =

Header Checksum

ip[12:4] =

Source IP (Should be expressed in Hex)

ip[16:4] =

Destination IP (Should be expressed in Hex)

ip[20..60] =

If any options.

Flag Bits

'ip[6] = 128'

Byte 6 can ONLY have the RES bit on. No other bits can be set.

'ip[6] = 64'

Byte 6 can ONLY have the DF bit on. No other bits can be set.

'ip[6] = 32'

Byte 6 can ONLY have the MF bit on. No other bits can be set.

The high 3 bits of byte 6 are checked. The remaining 5 bits are not checked.

High 3 bits can only have the DF bit set. Other 2 bits MUST be off. Remaining 5 bits are ignored.

The high 3 bits of byte 6 are checked. The remaining 5 bits are not checked.

High 3 bits can only have the MF bit set. Other 2 bits MUST be off. Remaining 5 bits are ignored.

Only the RES bit is checked and MUST be ON. All other bits in byte 6 are ignored.

Only the RES bit is checked and MUST be OFF. All other bits in byte 6 are ignored.

Only the DF bit is checked and MUST be ON. All other bits in byte 6 are ignored.

Only the DF bit is checked and MUST be OFF. All other bits in byte 6 are ignored.

Only the MF bit is checked and MUST be ON. All other bits in byte 6 are ignored.

Only the MF bit is checked and MUST be OFF. All other bits in byte 6 are ignored.

TTLs

Default TTL's:

Windows = 128

Linux = 64

Cisco = 255

Protocols

ICMPv4 = 0x01 or 1

TCP = 0x06 or 6

UDP = 0x11 or 17

For more, see IANA protocol numbers

'ip[9] = 0x01'

ICMPv4

'ip[9] = 0x06'

TCP

'ip[9] = 0x11'

UDP

Source/Destination IPs

'ip[12:4] = 0x0a0a0a0a'

Source IP

'ip[16:4] = 0x0a0a0a0a'

Destination IP

'ip[12:4] = 0x0a0a0a0a || ip[16:4] = 0x0a0a0a0a'

Both

IP Version and Header Length (IHL)

All with MF (More Flags) Flag Set OR Has An Offset Value Greater Than Zero

IPv6 Header

All

ip6[0] & 0xf0 =

IP version (Hex)

ip6[0] & 240 =

IP version (Decimal)

ip6[0:2] & 0x0ff0 =

Traffic Class Field

ip6[0:4] & 0x000fffff =

Flow Label Field

ip6[4:2] =

Payload length

ip6[6] =

Next Header

ip6[7] =

Hop limit (TTL)

Next Header

Hop Limit (TTL)

ICMP Header

icmp[0] =

ICMP type

icmp[1] =

ICMP code

icmp[2:2] =

Checksum

icmp[4...] =

Payload

Notable control messages: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

TCP Header

All

tcp[0:2] =

16-bit Source Port

tcp[2:2] =

16-bit Destination Port

tcp[4:4] =

32-bit Sequence Number

tcp[8:4] =

32-bit Ack Number

tcp[12] =

Header Length

tcp[13] =

Whole TCP Flags Field

tcp[13] & 0x80 =

CWR bit only (Hex)

tcp[13] & 128 =

CWR bit only (Decimal)

tcp[13] & 0x40 =

ECE bit only (Hex)

tcp[13] & 64 =

ECE bit only (Decimal)

tcp[13] & 0x20 =

URG bit only (Hex)

tcp[13] & 32 =

URG bit only (Decimal)

tcp[13] & 0x10 =

ACK bit only (Hex)

tcp[13] & 16 =

ACK bit only (Decimal)

tcp[13] & 0x08 =

PSH bit only (Hex)

tcp[13] & 8 =

PSH bit only (Decimal)

tcp[13] & 0x04 =

RST bit only (Hex)

tcp[13] & 4=

RST bit only (Decimal)

tcp[13] & 0x02 =

SYN bit only (Hex)

tcp[13] & 2 =

SYN bit only (Decimal)

tcp[13] & 0x01 =

FIN bit only (Hex)

tcp[13] & 1 =

FIN bit only (Decimal)

tcp[14:2] =

Window Size

tcp[16:2] =

Checksum

tcp[18:2] =

Urgent Pointer

tcp[20...60] =

Options or data (if any)

Flags

Examples:

Very Specific:

Only packets with the ACK+PSH flags set and NO other flags.

Less Specific:

Any packets with the ACK+PSH flags set and other flags are ignored.

Any packets with the ACK flags set and the PSH flag not set. Other flags are ignored.

Least Specific:

Packets that have the ACK and/or PSH set but NOT both off. Other flags are ignored.

Window Sizes

UDP Header

udp[0:2] =

16-bit source port (Specify in Hex or Decimal)

udp[2:2] =

16-bit destination port (Specify in Hex or Decimal)

udp[4:2] =

Datagram Length

udp[6:2] =

UDP Checksum

'udp[0:2]=69'

Source Port

'udp[2:2]=69'

Destination Port

'udp[0:2] = 53 || udp[2:2]=53'

Source OR Dest Port

'ip[6:2] & 0x3fff != 0'

UDP Checksum

PreviousSyntaxNextPacket Analysis

Last updated

Was this helpful?