Using TcpDump to monitor network activity

Note : Default packet size sniffed is 96 bytes, you can override that with -s , you can use –s 0  for complete size capture.

Example usage :

tcpdump -w capture.pcap -i eth0 tcp port 22

To capture or view for multiple ports :

tcpdump -w capture.pcap -i eth0 tcp port 22 or udp ( 53 or 953)


tcpdump tcp portrange 22-80

[Note: \ is an escape character and OR means also ]

To capture based on ip and port :

tcpdump -w capture.pcap dst <ip_addr> and tcp port 22

Capture on port ignoring some host:

tcpdump -w capture.pcap not "(port 22 and host and host < hostname2>)"

To Capture based on destination host:

tcpdump dst host

A real world example:

tcpdump -i tun0 -nq \ not "(port 22 and host myhost)" \ and not "(port 53 or 80 or 110 or 119 or 443)" \ and dst host <ip_addr>

Another eg.:

tcpdump -i eth0 -nq \ and not port '(20 or 21 or 25 or 53 or 80 or 110 or 119 or 123 or 443)' \ and not icmp \ and src host <ip_addr>

similarly ,

tcpdump ether src host

To Read a pcap file using tcpdump :

tcpdump -nnr capture.pcap

[ nn means do not resolve dns , r means read ]

tcpdump -ttttnnr capture.pcap

[ tttt is like increasing verbose, it increases the readability of timestamps ]