
A Quick and Practical Reference for Tcpdump - madflojo
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump
======
bostik
The one stanza I use most often:

# tcpdump -n -i $iface -s 0 -w /path/to/dump.pcap -c 25000 host a.b.c.d/mask

Once the dump is finished, ship the dump over to my desktop and analyze the
full contents with Wireshark. The protocol dissectors, along with the ability
to follow TCP streams, make life SO much easier.

If I already know exactly what I'm going to look for I'll add the "and
[tcp|udp] and port $port" bit at the end. Gives a nice kickstart to any
traffic analysis.

------
ay
When outputting to terminal, "-l" can be a very useful switch if one pipes the
output through other utilities.

This becomes especially necessary when the packets matching a filter slowly
trickle in - i.e. precisely the use case where the direct output to the
terminal makes sense.

Edit: while troubleshooting IPv6, I frequently need to see _only_ IPv6 Route
Advertisements, which in the noise of ND traffic can be tricky with just ND,
so I tend to use a below command:

    
    
       tcpdump -ln -i en0 'icmp6 and ip6[40:1]=134'
    

It does not catch the corner cases of other headers added after the basic IPv6
header, keep that in mind !

