tcpdump

**The tcpdump utility is able to sniff for packets on only one interface or VLAN. By default, it selects the lowest numbered interface unless the interface is specified with the -i**

to a file:

tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22

with network and multiple ips:

tcpdump -i internal src net 172.16.5.0/24 and \(host 10.65.5.20 or host 10.65.5.21\)

===

more examples:

# tcpdump -i eth1

- basic command

# tcpdump -w file.cap

- to a file

# tcpdump -r file.cap

- to read the file

# tcpdump -i eth1 -nq -i : Listen on interface. -n : Don't convert host addresses to names. -q : Quick (quiet?) output. # tcpdump -i eth1 -nq -xX -c 6 -e -x : Print each packet (minus its link level header) in hex. -X : When printing hex, print ascii too. -c : Exit after receiving count packets. -e : Print the link-level header on each dump line # tcpdump -i eth1 -nq -xX -c 6 -w test -w : Write the raw packets to file. # tcpdump -i eth1 -nq -xX -c 6 -r test -r : Read packets from file. # tcpdump -i eth0 -nq net 172.16.10 # tcpdump -i eth0 -nq net 172.16.10 and port 80 # tcpdump -i eth0 -nq net 172.16.10 and not port 22 # tcpdump -i eth0 -nq src net 172.16.10 and not port 22 # tcpdump -i eth0 -nq dst 172.16.10.248 and not port 22 and udp # tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and less 512 less : True if the packet has a length less than or equal to length # tcpdump -i eth0 -nq src 172.16.10.248 and dst port 80 and greater 32 greater : True if the packet has a length greater than or equal to length. # tcpdump -i eth0 -nq ether broadcast broadcast : True if the packet is an ethernet broadcast packet.

# tcpdump -i eth1 -enq ether host "00:15:6d:b6:05:73" Show specific source or destination mac address # tcpdump -i ppp0 -nq icmp[icmptype] = icmp-echoreply or icmp[icmptype] = icmp-echo # man pcap-filter packet filter syntax manual

Good examples:

http://www.alexonlinux.com/tcpdump-for-dummies

Running tcpdump on an F5:

http://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html