Public domain
# tcpdump -i eth1 -nq
-i : Listen on interface.
-n : Don't convert host addresses to names.
-q : Quick (quiet?) output.
# tcpdump -i eth1 -nq -xX -c 6 -e
-x : Print each packet (minus its link level header) in hex.
-X : When printing hex, print ascii too.
-c : Exit after receiving count packets.
-e : Print the link-level header on each dump line
# tcpdump -i eth1 -nq -xX -c 6 -w test
-w : Write the raw packets to file.
# tcpdump -i eth1 -nq -xX -c 6 -r test
-r : Read packets from file.
# tcpdump -i eth0 -nq net 172.16.10
# tcpdump -i eth0 -nq net 172.16.10 and port 80
# tcpdump -i eth0 -nq net 172.16.10 and not port 22
# tcpdump -i eth0 -nq src net 172.16.10 and not port 22
# tcpdump -i eth0 -nq dst 172.16.10.248 and not port 22 and udp
# tcpdump -i ppp0 -nq -G 3600 -w dump--%F--%H-%M-%S.dump "not src or dst 8.8.8.8 and not src or dst 4.2.2.4"
-G : rotate seconds
# tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and less 512
less : True if the packet has a length less than or equal to length
# tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and greater 32
greater : True if the packet has a length greater than or equal to length.
# tcpdump -i eth0 -nq ether broadcast
broadcast : True if the packet is an ethernet broadcast packet.
# tcpdump -i eth1 -enq ether host "00:15:6d:b6:05:73"
Show specific source or destination mac address
# tcpdump -i ppp0 -nq icmp[icmptype] = icmp-echoreply or icmp[icmptype] = icmp-echo
# man pcap-filter
packet filter syntax manual
tcpdump -enn -vvv -XX -Ss0 -tttt -i eth0 host 192.168.1.10
BY: Pejman Moghadam
TAG: tcpdump
DATE: 2011-03-29 13:17:29