Tcpdump-cheat-sheet: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 10: | Zeile 10: | ||
| <code>tcpdump -i any</code> || capture packets from all available interfaces | | <code>tcpdump -i any</code> || capture packets from all available interfaces | ||
|- | |- | ||
| − | | <code>tcpdump tcp|udp|icmp|arp</code> || capture only | + | | <code>tcpdump tcp</code> || capture only tcp |
| + | |- | ||
| + | | <code>tcpdump udp</code> || capture only udp | ||
| + | |- | ||
| + | | <code>tcpdump icmp</code> || capture only icmp | ||
| + | |- | ||
| + | | <code>tcpdump arp</code> || capture only arp | ||
|- | |- | ||
| <code>tcpdump src 10.0.0.1</code> || capture traffic from 10.0.0.1 | | <code>tcpdump src 10.0.0.1</code> || capture traffic from 10.0.0.1 | ||
| Zeile 46: | Zeile 52: | ||
| <code>tcpdump 'tcp[13] == tcp-syn'</code> || capture TCP SYN packets | | <code>tcpdump 'tcp[13] == tcp-syn'</code> || capture TCP SYN packets | ||
|- | |- | ||
| − | | <code>tcpdump 'tcp[13] & (tcp-syn|tcp-fin) != 0'</code> || match TCP SYN or FIN | + | | <code>tcpdump 'tcp[13] <nowiki> & (tcp-syn|tcp-fin) != 0'</nowiki></code> || match TCP SYN or FIN |
|- | |- | ||
| <code>tcpdump -e vlan 10</code> || capture traffic with VLAN tag 10 | | <code>tcpdump -e vlan 10</code> || capture traffic with VLAN tag 10 | ||
Aktuelle Version vom 23. April 2025, 11:23 Uhr
| Befehl | Beschreibung |
|---|---|
tcpdump |
listen on the first non-loopback interface detected |
tcpdump -i eth0 |
capture packets on eth0 and display their content |
tcpdump -i eth0 -w my.pcap |
save packets received on eth0 to my.pcap |
tcpdump -i any |
capture packets from all available interfaces |
tcpdump tcp |
capture only tcp |
tcpdump udp |
capture only udp |
tcpdump icmp |
capture only icmp |
tcpdump arp |
capture only arp |
tcpdump src 10.0.0.1 |
capture traffic from 10.0.0.1 |
tcpdump port 80 |
capture traffic with either src/dst port 80 |
tcpdump dst net 10.1.1.0/24 |
capture traffic for specific subnet |
tcpdump tcp and src 10.0.0.1 and port 80 |
combine multiple filters |
tcpdump tcp dst portrange 22-1023 |
capture packets with port range |
tcpdump -vvv |
show protocol-specific info with full verbosity |
tcpdump -tt |
use UNIX timestamp as packet timestamp format |
tcpdump not port 22 |
capture all traffic except ssh traffic |
tcpdump -c 1000 |
capture the first 1000 packets only |
tcpdump -n |
do not convert IP addresses/ports to names |
tcpdump -e |
display layer-2 info such as MAC addresses |
tcpdump -X |
show payload content in hex/ASCII format |
tcpdump ip6 |
capture IPv6 packets only |
tcpdump 'tcp port 80 or udp port 67' |
use complex filters |
tcpdump greater 200 |
capture packets whose length > 200 |
tcpdump ether dst ff:ff:ff:ff:ff:ff |
capture layer-2 broadcast packets |
tcpdump 'tcp[13] == tcp-syn' |
capture TCP SYN packets |
tcpdump 'tcp[13] & (tcp-syn|tcp-fin) != 0' |
match TCP SYN or FIN |
tcpdump -e vlan 10 |
capture traffic with VLAN tag 10 |
tcpdump 'icmp[0] = 8' |
capture ICMP echo request packets (ping) |
tcpdump outbound |
capture only outbound traffic |