To analyse a capture file
tcpdump -r capture_file.pcap
general monitoring
-i any = listen on any interface
-i eth0 = listen on eth0 interface
-n = do not resolve hostnames
-q = quiet (less verbose)
-t = timestamp
-tttt = maximally readable timestamp
-v,vv,vvv = verbosity
-A = display in ASCII
-X = display in Hex
-w = write to file
-r = read a capture file
tcp = capture TCP only (tcpdump -i eth0 tcp)
filter for source destination IP
tcpdump -n src host 192.168.3.45 -r dumpfile.pcap
tcpdump -n dst host 192.168.3.45 -r dumpfile.pcap
filter for port number
tcpdump -n port 81 -r dumpfile.pcap
View traffic in hex format
tcpdump -nX -r dumpfile.pcap
specify flags
The TCP flags are at byte 14 (0->13) and the flags are:
CEUAPRSF
00000000
So A(ack) and P(psh) flags (either/or) would be
00011000 = 24 leading to:
tcpdump -A -n ‘tcp[13] = 24’ -r dumpfile.pcap
Leave a Reply