/ _ \ \_\(_)/_/ more on JOHLEM.NET _//"\\_ / \ 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 =============================================================================== TCPDUMP CHEAT SHEET - CONNECTION DEBUGGING =============================================================================== 1. Capture Traffic by Host Command: tcpdump -n host 192.168.1.10 Explanation: Captures all traffic to and from host 192.168.1.10. Example: tcpdump -n host 192.168.1.10 Result: Displays traffic for specified host. 2. Monitor Specific Port Traffic Command: tcpdump -n port 22 Explanation: Captures all traffic on port 22 (SSH). Example: tcpdump -n port 22 Result: Displays traffic for SSH connections. 3. Capture with Detailed Protocol Info Command: tcpdump -vvv -i eth0 Explanation: Provides very verbose output, showing detailed protocol info. Example: tcpdump -vvv -i eth0 Result: Displays detailed protocol information. 4. Check All Packets of a TCP Connection Command: tcpdump -n 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0' Explanation: Captures SYN and FIN packets to monitor TCP connections start/end. Example: tcpdump -n 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0' Result: Displays SYN and FIN packets. 5. Filter by Source and Destination Command: tcpdump -n src 192.168.1.10 and dst 192.168.1.20 Explanation: Captures traffic from source to destination IP addresses. Example: tcpdump -n src 192.168.1.10 and dst 192.168.1.20 Result: Displays traffic between two specified IPs. 6. Capture Packets of a Specific Size Command: tcpdump -n 'less 32' Explanation: Captures packets smaller than 32 bytes. Example: tcpdump -n 'less 32' Result: Displays small packets, useful for diagnosing issues. 7. Capture Non-HTTP and Non-SMTP Traffic Command: tcpdump -n 'not port 80 and not port 25' Explanation: Captures traffic excluding HTTP and SMTP. Example: tcpdump -n 'not port 80 and not port 25' Result: Displays non-HTTP and non-SMTP traffic. 8. Capture and Trace Full TCP Connection Command: tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn' Explanation: Captures packets initiating TCP connections. Example: tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn' Result: Displays packets starting TCP connections. 9. Filter IPv4 and IPv6 Traffic Command: tcpdump -n 'ip or ip6' Explanation: Captures both IPv4 and IPv6 traffic. Example: tcpdump -n 'ip or ip6' Result: Displays IPv4 and IPv6 packets. 10. Capture Traffic Except Local Host Command: tcpdump -n 'not src and dst net localhost' Explanation: Excludes traffic from/to the local host. Example: tcpdump -n 'not src and dst net localhost' Result: Displays external traffic only. 22. Monitor Traffic with Specific Source and Destination Port Command: tcpdump -n 'src port 12345 and dst port 80' Explanation: Captures traffic with specific source and destination ports. Example: tcpdump -n 'src port 12345 and dst port 80' Result: Displays traffic matching the specified ports. 23. Capture ARP Traffic Command: tcpdump -n arp Explanation: Captures ARP (Address Resolution Protocol) packets. Example: tcpdump -n arp Result: Displays ARP packets. 24. Monitor Traffic with Specific TCP Window Size Command: tcpdump -n 'tcp[14:2] = 0x30d4' Explanation: Captures TCP packets with a specific window size. Example: tcpdump -n 'tcp[14:2] = 0x30d4' Result: Displays TCP packets with the specified window size. 25. Capture Traffic with Specific TTL Value Command: tcpdump -n 'ip[8] = 64' Explanation: Captures IP packets with a specific TTL (Time To Live) value. Example: tcpdump -n 'ip[8] = 64' Result: Displays IP packets with the specified TTL value. 26. Monitor Traffic with Urgent Flag Set in TCP Command: tcpdump -n 'tcp[tcpflags] & tcp-urg != 0' Explanation: Captures TCP packets with the URG (Urgent) flag set. Example: tcpdump -n 'tcp[tcpflags] & tcp-urg != 0' Result: Displays TCP packets with the Urgent flag. 27. Capture BGP Traffic Command: tcpdump -n tcp port 179 Explanation: Captures BGP (Border Gateway Protocol) traffic on port 179. Example: tcpdump -n tcp port 179 Result: Displays BGP traffic. 28. Monitor Packets with a Specific ID Field in IP Header Command: tcpdump -n 'ip[4:2] = 0x1c46' Explanation: Captures packets with a specific ID field in the IP header. Example: tcpdump -n 'ip[4:2] = 0x1c46' Result: Displays packets with the specified IP ID field. 29. Capture Packets with Specific IP Options Command: tcpdump -n 'ip[20:2] = 0x0104' Explanation: Captures IP packets with specific options set. Example: tcpdump -n 'ip[20:2] = 0x0104' Result: Displays IP packets with the specified options. 30. Monitor Multicast Traffic Command: tcpdump -n 'dst net 224.0.0.0/4' Explanation: Captures multicast traffic. Example: tcpdump -n 'dst net 224.0.0.0/4' Result: Displays multicast traffic. =============================================================================== Note: This cheat sheet focuses on commands for debugging network connections. ===============================================================================