tcpdump -D : display all available interfaces
tcpdump -i eth0 : capture traffic at the interface “eth0”
tcpdump -i any : capture traffic at any interface
tcpdump -i wlan0 port 80 : capture traffic at the interface “wlan0” on port 80
tcpdump -i wlan0 -c 5 : capture 5 packets at the interface “wlan0”
tcpdump -i wlan0 tcp : capture only tcp traffic at interface “wlan0”
tcpdump -i wlan0 src 192.168.1.1 : capture traffic at interface “wlan0” with source IP 192.168.1.1
tcpdump -i wlan0 dst 192.168.1.1 : capture traffic at interface “wlan0” with destination IP 192.168.1.1
tcpdump src port 22 and dst host 1.2.3.4 : tcpdump command with boolean opertators
tcpdump -i wlan0 -s 65535 : capture traffic with snapshot size as 65535 bytes, by default its 262144 bytes. Older versions of tcpdump captures 68 or 96 bytes.
tcpdump -i wlan0 -w dump.pcap : capture traffic at the interface “wlan0” and write into a pcap file
tcpdump -r dump.pcap : read captured file (we can use wireshark instead and its preferred)
tcpdump -i <interface> -s 65535 -w <some-file>.pcap
Comments