tcpdump - ethan's notes

Tcpdump is a powerful command-line packet analyzer used to capture and display network traffic. When you run the TCP dump task, you must specify the interface on which to run the task. You an also include expressions in the task arguments to filter for specific traffic. To specify the interface, you include the -i argument and the interface name and number. For example: `-i eth1` — Physical interface #1 `-i ath1` — Wireless interface #1 `-i br1` — Bridge interface #1 `-i bond1` — Link aggregation interface #1 `-i vlan1` — VLAN interface #1 To build an expression to filter the traffic from the interface you specify, you can use any of the standard TCP dump keywords and operators. Some of the common keywords and operators are: `host` — Only include traffic to or from the specified host IP address. `net` — Only show traffic to or from the IP addresses in the specified subnet. For example, for 10.0.1.0/24, type 10.0.1. `port` — Only show traffic with either a source or destination of the specified port. `portrange` — Only show traffic from the specified range of ports. `ip proto` — Only show traffic from the specified protocol. For example, for ESP packets, type 50. `src` or `dst` — Use with the keywords _host_ or _port_ to specify the source or destination. `tcp` or `udp` — Use with the keywords _port_ or _portrange_ to specify the protocol. `and` / `or` — Use to combine expressions. For a complete list of the available keywords and detailed examples of how to create filter expressions, see the _PCAP-Filter_ manpage at [http://www.tcpdump.org/manpages/pcap-filter.7.html](http://www.tcpdump.org/manpages/pcap-filter.7.html). Examples of TCP dump arguments: ``` -i eth1 host 10.0.1.25 and dst port 80 ``` Show only traffic on interface eth1, to or from 10.0.1.25 with destination port 80. ``` -i eth0 tcp port 25 ``` Show only traffic on interface eth0, to or from TCP port 25. ``` -i vlan1024 ``` Show only traffic tagged with VLAN 1024. ``` -i eth0 udp port 500 or ip proto 50 ``` Show all UDP port 500 or ESP packets for the eth0 interface. ``` -i eth2 src 10.0.1.100 and dst 10.0.2.25 ``` Show all traffic from 10.0.1.100 to 10.0.2.25 on the eth2 interface.