Tcpdump is a popular computer network debugging and security tool which allows the user to intercept and display TCP/IP packets being transmitted or received over a network to which the computer is attached. Tcpdump allows us to precisely see all the traffic and enables us to create statistical monitoring scripts.
At an ethernet segment, tcpdump operates by putting the network card into promiscuous mode in order to capture all the packets going through the wire. Using tcpdump we have a view on any TCP/UDP connection establishment and termination and we can measure the response time and the packet loss percentagesTo print
all packets arriving at or departing from 192.168.0.2
# tcpdump -n host 192.168.0.2
To print traffic between 192.168.0.2 and either 10.0.0.4 or 10.0.0.5:
# tcpdump -n host 192.168.0.2 and \( 10.0.0.4 or 10.0.0.5 \)
To print all IP packets between 192.168.0.2 and any host except 10.0.0.5:
# tcpdump ip -n host 192.168.0.2 and not 10.0.0.5
To print all traffic between local hosts and hosts at Berkeley:
# tcpdump net ucb-ether
To print all ftp traffic through internet gateway xx:
# tcpdump ‘gateway xx and (port ftp or ftp-data)’
To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
# tcpdump ip and not net localnet
To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
# tcpdump ‘tcp & 3 != 0 and not src and dst net localnet’
To print IP packets longer than 576 bytes sent through gateway xx:
# tcpdump ‘gateway xx and ip[2:2] > 576’
To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:
# tcpdump ‘ether & 1 = 0 and ip >= 224’
To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
# tcpdump ‘icmp != 8 and icmp != 0″