TCPDUMP

On Linux, to capture data on a port and write to output.pcap, run

sudo tcpdump  -i any -v 'port 1514' -w output.pcap

To capture traffic on a server (192.168.11.153) where the client (1921.68.99.74) is accessing TCP-443 on the server.

tcpdump -i eth1 -n '(src 192.168.99.74 and dst 192.168.11.153 and dst port 443) or (src 192.168.11.153 and dst 192.168.99.74 and src port 443)'

• Name Resolution: Use -n to disable hostname and port number resolution for faster output.
• Verbose Output: Use -v, -vv, or -vvv for more detailed output.
• Packet Size: Use -s <snaplen> to specify the number of bytes to capture per packet (e.g., -s 0 for the entire packet).
• Output to File: Use -w <filename> to save the captured packets to a file.
• Read from File: Use -r <filename> to read and display packets from a saved file.
• Quotes: Use single quotes around filter expressions containing special characters (like parentheses) to prevent shell interpretation

tcpdump -i eth1 -n '(src 192.168.99.74 and dst 192.168.11.153 and dst port 443) or (src 192.168.11.153 and dst 192.168.99.74 and src port 443)'

Tcpdump filters allow you to capture specific types of network traffic based on various criteria, making it easier to analyze and troubleshoot network issues. You can filter by protocol (TCP, UDP, ICMP, etc.), IP address (source or destination), port number (source or destination), MAC address, and more. Advanced filters can also combine these criteria using logical operators like and, or, and not.

Basic Filters:

• Protocol: tcp, udp, icmp, arp, ip, ether
• Host: host 192.168.1.1 (captures traffic to or from this IP)
• Source Host: src host 192.168.1.1
• Destination Host: dst host 192.168.1.1
• Port: port 80 (captures traffic on port 80)
• Source Port: src port 80
• Destination Port: dst port 80
• MAC Address: ether src aa:bb:cc:11:22:33 (captures traffic with the specified MAC address as the source)

Advanced Filters (Combining Criteria):

• Using and, or, and not:
  • host 192.168.1.1 and port 80 (captures traffic to/from 192.168.1.1 on port 80)
  • port 80 or port 443 (captures traffic on port 80 or 443)
  • not port 22 (captures traffic not on port 22)
• Combining with other primitives:
• ether src 00:11:22:33:44:55 and tcp port 80 (captures TCP traffic on port 80 from a specific MAC address)

Example Usages: Captures all TCP traffic on the eth0 interface destined for or originating from port 80

tcpdump -i eth0 tcp port 80

Captures all traffic related to the host 192.168.1.100 on any interface.

 tcpdump -i any host 192.168.1.100

Captures all traffic on the eth0 interface with the specified MAC address as the source.

 tcpdump -i eth0 ether src 00:11:22:33:44:55

Important Notes:

• Interface Specification: Always specify the network interface with -i <interface_name>.
• Name Resolution: Use -n to disable hostname and port number resolution for faster output.
• Verbose Output: Use -v, -vv, or -vvv for more detailed output.
• Packet Size: Use -s <snaplen> to specify the number of bytes to capture per packet (e.g., -s 0 for the entire packet).
• Output to File: Use -w <filename> to save the captured packets to a file.
• Read from File: Use -r <filename> to read and display packets from a saved file.
• Quotes: Use single quotes around filter expressions containing special characters (like parentheses) to prevent shell interpretation