tcpdump ======= See tcpdump(8). The '-n' flag skips name lookups of IP addresses. Inspect all traffic from an interface: # tcpdump -vv -i eth0 Capture only n packets: # tcpdump -vv -c 10 -i eth0 Show interaces available for capture (note `lo`): # tcpdump -D Save to a .pcap file: # tcpdump -w 001.eth0.pcap -i eth0 Read a .pcap file: # tcpdump -vvv -r 001.eth0.pcap Wireshark can also read .pcap files. Capture only tcp (or arp or icmp or udp): # tcpdump -i eth0 tcp Capture a particular port: # tcpdump -i eth0 port 80 We can also invert the match to capture everything except port 80 like: # tcpdump -i eth0 'port !80' A range of ports: # tcpdump -vvn -i eth0 portrange 10000-20000 From a particular address: # tcpdump -i eth0 src 10.0.0.11 To a particular address: # tcpdump -i eth0 dst 10.0.0.100 From 10.0.0.10 or 10.0.0.223 to dns that return a result of 127.0.0.1: # tcpdump -lvv -i eth0 '(host 10.0.0.10 or host 10.0.0.223) and (port 53)' | grep '127.0.0.1' Don't capture particular ports: # tcpdump -lnvv -i em2 'host 10.0.0.63 and (not port 80 and not port 443)' Capture to files, with each file of a limited duration: # tcpdump -n -G 3600 -i eth0 -w 'foo_%Y-%m-%d_%H:%M:%S.pcap' Read a previously captures .pcap file: % /usr/sbin/tcpdump -vvvr foo.pcap | less % /usr/sbin/tcpdump -vvvXXAr foo.pcap | less Looks for ICMPv6 echo replies (type 129; echo requests are type 128): % tcpdump -lnvv -i em1 "ip6[40]=129" % tcpdump -lnvv -i em0 "ip6[40]=129 or ip6[40]=128" By default, tcp dump caputures only a limited number of bytes from each packet. The -s flag lets us specify the number of bytes. View blocked packets from a pf log: # tcpdump -env '(host 10.0.2.12) and action block' -r /var/log/pflog Sample output: --- falstaff 11:40AM ~ % sudo tcpdump -i br0 -vv port domain --direction=in tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:41:27.035874 IP (tos 0x40, ttl 56, id 0, offset 0, flags [DF], proto UDP (17), length 93) cdns01.comcast.net.domain > 10.0.0.76.36412: [udp sum ok] 65467 q: A? clyde.devilghost.com. 1/0/1 clyde.devilghost.com. A 107.191.51.254 ar: . OPT UDPsize=512 (65) 11:41:27.037153 IP (tos 0x0, ttl 128, id 5166, offset 0, flags [DF], proto UDP (17), length 150) wolf.example.com.domain > 10.0.0.76.48943: [udp sum ok] 10357 NXDomain* q: PTR? 76.0.0.10.in-addr.arpa. 0/1/0 ns: 0.0.10.in-addr.arpa. SOA wolf.example.com. admin.example.com. 6089 900 600 86400 3600 (122) 11:41:27.067084 IP (tos 0x0, ttl 128, id 5168, offset 0, flags [DF], proto UDP (17), length 102) wolf.example.com.domain > 10.0.0.76.51561: [udp sum ok] 30157 q: PTR? 75.75.75.75.in-addr.arpa. 1/0/0 75.75.75.75.in-addr.arpa. PTR cdns01.comcast.net. (74) 11:41:27.067863 IP (tos 0x0, ttl 128, id 5169, offset 0, flags [DF], proto UDP (17), length 102) wolf.example.com.domain > 10.0.0.76.58609: [udp sum ok] 42272* q: PTR? 2.0.0.10.in-addr.arpa. 1/0/0 2.0.0.10.in-addr.arpa. PTR wolf.example.com. (74) 11:41:32.259912 IP (tos 0x20, ttl 46, id 2551, offset 0, flags [none], proto UDP (17), length 93) google-public-dns-a.google.com.domain > 10.0.0.76.36508: [udp sum ok] 7345 q: A? clyde.devilghost.com. 1/0/1 clyde.devilghost.com. A 107.191.51.254 ar: . OPT UDPsize=512 (65) 11:41:32.260710 IP (tos 0x0, ttl 128, id 5528, offset 0, flags [DF], proto UDP (17), length 110) wolf.example.com.domain > 10.0.0.76.56131: [udp sum ok] 46898 q: PTR? 8.8.8.8.in-addr.arpa. 1/0/0 8.8.8.8.in-addr.arpa. PTR google-public-dns-a.google.com. (82)