Skip to content

Tcpdump – quick commands

For all commands, you will need root permissions. Use it from root or with sudo.

Show all packets with URG flag:

tcpdump 'tcp[13] & 32 != 0'

Show all packets with ACK flag:

tcpdump 'tcp[13] & 16 != 0'

Show all packets with PSH flag:

tcpdump 'tcp[13] & 8 != 0'

Show all packets with RST flag:

tcpdump 'tcp[13] & 4 != 0'

Show all packets with SYN flag:

tcpdump 'tcp[13] & 2 != 0'

Show all packets with FIN flag:

tcpdump 'tcp[13] & 1 != 0'

Show all packets with SYN-ACK flag:

tcpdump 'tcp[13] = 18'

Show all packets from or to a certain source:

tcpdump host 4.2.2.2

Show all packets from or to a certain source with network interface specification. fxp0 is my network interface (FreeBSD):

tcpdump -pni fxp0 host 4.2.2.2

Show all packets from a network:

tcpdump net 4.2.2.0/24

Show all packets by tcp port:

tcpdump -n src port 80 # source port
tcpdump -n dst port 80 # destination port

Show all packets by protocol:

tcpdump -n icmp

Show all packets excluding a port (ex. ssh):

tcpdump -n port not 22
Published inFreeBSDLinux
© 2019 - Marian Amza. All rights reserved.
Powered by Wordpress & Debian