Tcpdump Usage Summary

Thu, 05 May 2022 13:39:10 +0800

Tcpdump Usage Summary

Command usage

tcpdump uses the command line. The command format is:

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
 [ -C file_size ] [ -F file ]
 [ -i interface ] [ -m module ] [ -M secret ]
 [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
 [ -W filecount ]
 [ -E spi@ipaddr algo:secret, ... ]
 [ -y datalinktype ] [ -Z user ]
 [ expression ]

Simple option notes for tcpdump

-E spi@ipaddr algo:secret , ... can decrypt IPsec ESP packets using spi@ipaddr algo:secret. The secret is the ESP key, expressed as an ASCII string. If it starts with 0x, the key is read as hex. In addition to the syntax above (spi@ipaddr algo:secret), you can append a syntax input filename for tcpdump to use (replace … in spi@ipaddr algo:secret, ... with a syntax filename). This file is opened when the first ESP packet arrives, so it is best to drop some privileges at that time (to reduce risk if the file is malicious).
-T type forces tcpdump to analyze packets according to the protocol structure specified by type. Known type values include:
- aodv (Ad-hoc On-demand Distance Vector protocol, used in Ad hoc peer-to-peer networks)
- cnfp (Cisco NetFlow protocol)
- rpc (Remote Procedure Call)
- rtp (Real-Time Applications protocol)
- rtcp (Real-Time Applications control protocol)
- snmp (Simple Network Management Protocol)
- tftp (Trivial File Transfer Protocol)
- vat (Visual Audio Tool, an application-layer protocol used for video conferencing on the internet)
- wb (distributed White Board, an application-layer protocol for online meetings)

Practical command examples

Capture communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

Tcpdump on Ricky

Tcpdump Usage Summary

Command usage

Simple option notes for tcpdump

Practical command examples