TCPDUMP and Wireshark
tcpdump -i eth0 -c5 -n(n)
(-n) disables name resolution (-nn) disables port resolution prevents tcpdump from issuing DNS lookups, which helps lower network traffic while troubleshooting network issues
tcpdump -i eth0 -vv
-v, -vv, -vvv verbose output, increase the amount of packet information you get back
Interrupt Signal
Ctrl+C
tcpdump -i eth0 -E
Decrypt IPSEC traffic by providing an encryption key.
tcpdump -i eth0 -s
Define the size of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
How can I capture raw 802.11 frames, including non-data (management, beacon) frames?
Depends on the OS on which you're running, and on the 802.11 interface on which you're capturing. Probably require that you capture in "monitor mode" if you want to capture traffic on networks other than the one with which you're associated Not all OS's support capturing non-data packets and, even on OS's that do support it, not all drivers, and thus not all interfaces, support it.
tcpdump net x.x.x.x/xx
Filter packets by network: you can combine this with the src or dst options as well.
tcpdump less/greater
Filter traffic based on Packet Size: you can use less, greater, or their associated symbols that you would expect from mathematics.
tcpdump -i eth0 -t
Give human-readable timestamp output.
tcpdump -i eth0 -tttt
Give maximally human-readable timestamp output.
Why am I seeing lots of packets with incorrect TCP checksums?
If the packets that have incorrect TCP checksums are all being sent by the machine on which Wireshark is running, this is probably because the network interface on which you're capturing does TCP checksum offloading. That means that the TCP checksum is added to the packet by the network interface, not by the OS's TCP/IP stack; when capturing on an interface, packets being sent by the host on which you're capturing are directly handed to the capture interface by the OS, which means that they are handed to the capture interface without a TCP checksum being added to them.
tcpdump -i eth0 -c5 -nn host 54.204.39.132
Limit capture to only packets related to a specific host by using the host filter. tcpdump captures and displays only packets from host 54.204.39.132
tcpdump -i any -c10 -nn -XX port 80
Same as -X, but also shows the Ethernet header.
tcpdump -nn -r webserver.pcap
Tcpdump creates a file in binary format so you cannot simply open it with a text editor. To read the contents of the file, execute tcpdump with the -r option
tcpdump -i eth0 -c5 -nn port 80
To filter packets based on the desired service or port, use the port filter
tcpdump -i any -c10 -nn -w webserver.pcap port 80
To save packets to a file instead of displaying them on screen
How can I capture packets with CRC errors?
Wireshark can capture only the packets that the packet capture library and can capture only the packets that the OS's raw packet capture mechanism will allow it to capture. Unless the OS always supplies packets with errors such as invalid CRCs to the raw packet capture mechanism, or can be configured to do so, invalid CRCs to the raw packet capture mechanism, Wireshark - and other programs that capture raw packets, cannot capture those packets. You will have to determine whether your OS needs to be so configured and, if so, can be so configured, configure it if necessary and possible, and make whatever changes to libpcap and the packet capture program you're using are necessary. Most OSes do not support capturing packets with invalid CRCs on Ethernet. Some drivers on some OSes do support it, such as some Ethernet drivers on FreeBSD; you might always get those packets, or you might only get them if you capture in promiscuous mode .
tcpdump -nn -r webserver.pcap src 54.204.39.132
You can also use any of the filters shown to filter the content from the file, just as you would with real-time data
tcpdump -i eth0 -q
be less verbose with your output, more quiet
tcpdump -i eth0 or any
captures all packets using the eth0 interface by running this command any listens to all interfaces
tcpdump -i eth0 -c5 -nn src 192.168.122.98 and port 80
combine filters by using the logical operators and and or to create more complex expressions
tcpdump -i eth0 -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"
create more complex expressions by grouping filter with parentheses. In this case, enclose the entire filter expression with quotation marks to prevent the shell from confusing them with shell expressions
tcpdump -i eth0 -c5 icmp
filter packets based on protocol, specifying the protocol in the command line
tcpdump -i eth0 -c5 -nn src 192.168.122.98
filter packets based on the source or destination IP Address or hostname
tcpdump -i eth0 -S
get entire package, Print absolute sequence numbers
tcpdump -i eth0 -e
get the Ethernet header as well
tcpdump -i eth0 -c 5
limits the number of packets captured to 5 and then automatically stops tcpdump
tcpdump -D
sees which interfaces are available for capture
tcpdump -i any -c10 -nn -X port 80
to print content in HEX and ASCII
tcpdump -i any -c10 -nn -A port 80
to print the content in ASCII only
tcpdump -i eth0 -c5 -nn dst 192.168.122.98
you can use the dst filter to filter by destination IP/hostname