https://besterry.com/tags/tcpdump/Recent content in Tcpdump on Besterry — Linux & DevOps NotesHugoen-usFri, 08 Nov 2024 00:00:00 +0000https://besterry.com/posts/tcpdump-filters-cheatsheet/Fri, 08 Nov 2024 00:00:00 +0000https://besterry.com/posts/tcpdump-filters-cheatsheet/<p>tcpdump has a weird little filter language (BPF syntax) that I never remember under pressure. This page is my cheatsheet.</p> <h2 id="basic-syntax">Basic syntax</h2> <pre><code>tcpdump -i &lt;interface&gt; -n &lt;filter&gt; -n don't resolve addresses/ports -i interface (eth0, any, lo) -v verbose (-vv, -vvv more) -w write to file for later wireshark -r read from file -c N stop after N packets -s 0 capture full packet (not truncated) </code></pre> <h2 id="host-and-network-filters">Host and network filters</h2> <pre><code>host 192.0.2.1 # to or from src host 192.0.2.1 # from only dst host 192.0.2.1 # to only net 192.0.2.0/24 # subnet src net 192.0.2.0/24 # subnet as source </code></pre> <h2 id="port-filters">Port filters</h2> <pre><code>port 443 # source or dest port 443 src port 443 # source only dst port 443 # dest only portrange 50000-60000 # range </code></pre> <h2 id="protocol-filters">Protocol filters</h2> <pre><code>tcp # TCP only udp # UDP only icmp # ICMP only arp # ARP tcp port 443 # combine 'tcp[tcpflags] &amp; tcp-syn != 0' # TCP with SYN flag </code></pre> <h2 id="tcp-flag-combinations">TCP flag combinations</h2> <pre><code># SYN only (connection attempts) 'tcp[tcpflags] == tcp-syn' # SYN-ACK 'tcp[tcpflags] == tcp-syn|tcp-ack' # RST (connection resets) 'tcp[tcpflags] &amp; tcp-rst != 0' # FIN (connection closes) 'tcp[tcpflags] &amp; tcp-fin != 0' </code></pre> <h2 id="combining-filters">Combining filters</h2> <pre><code>host 192.0.2.1 and tcp port 443 'host 192.0.2.1 and (port 80 or port 443)' 'not arp and not port 22' </code></pre> <p>Boolean operators: <code>and</code>, <code>or</code>, <code>not</code> (or <code>&amp;&amp;</code>, <code>||</code>, <code>!</code>).</p>