Hacker News new | past | comments | ask | show | jobs | submit login
A Quick and Practical Reference for Tcpdump (bencane.com)
32 points by madflojo on Oct 13, 2014 | hide | past | web | favorite | 2 comments

The one stanza I use most often:

# tcpdump -n -i $iface -s 0 -w /path/to/dump.pcap -c 25000 host a.b.c.d/mask

Once the dump is finished, ship the dump over to my desktop and analyze the full contents with Wireshark. The protocol dissectors, along with the ability to follow TCP streams, make life SO much easier.

If I already know exactly what I'm going to look for I'll add the "and [tcp|udp] and port $port" bit at the end. Gives a nice kickstart to any traffic analysis.

When outputting to terminal, "-l" can be a very useful switch if one pipes the output through other utilities.

This becomes especially necessary when the packets matching a filter slowly trickle in - i.e. precisely the use case where the direct output to the terminal makes sense.

Edit: while troubleshooting IPv6, I frequently need to see only IPv6 Route Advertisements, which in the noise of ND traffic can be tricky with just ND, so I tend to use a below command:

   tcpdump -ln -i en0 'icmp6 and ip6[40:1]=134'
It does not catch the corner cases of other headers added after the basic IPv6 header, keep that in mind !

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact