# tcpdump tips ###### tags: `tcpdump` `network` ### operators ``` and & && or || not ! Examples: tcpdump -i eth1 port not 22 and host 1.2.3.4 tcpdump -i eth0 ! stp and port not 22 tcpdump -i eth0 ! stp and ! arp tcpdump -i eth0 ! stp and ! arp and port not 22 ``` ### vrrp ``` tcpdump -i eth0 ! vrrp tcpdump -i eth0 ip proto 112 tcpdump -i eth0 proto 112 tcpdump -i eth0 proto not 112 ``` ### IPsec ``` tcpdump ah or esp ``` ### icmp ``` tcpdump ! icmp ``` ### multicast protocols ``` tcpdump igmp or pim ``` ### broadcast or multicast ``` tcpdump multicast or broadcast ``` ### port range ``` tcpdump tcp src portrange 1024-65535 ``` ### package size ``` tcpdump less 120 tcpdump greater 240 ``` ### tcp flags ``` - ack tcpdump 'tcp[13] & 16 !=0' - psh tcpdump 'tcp[13] & 8 != 0' - rst tcpdump 'tcp[13] & 4 != 0' - syn tcpdump 'tcp[13] & 2 != 0' - fin tcpdump 'tcp[13] & 1 != 0' - syn-ack, 2(syn) + 16(ack) tcpdump 'tcp[13] = 18' # tcp[13] is 14th octet from begin of header ``` ### cdp (cisco discovery protocol) ``` tcpdump ether[20:2] == 0x2000 and ether dst 01:00:0c:cc:cc:cc root@ycheng:/home/ycheng# tcpdump ether[20:2] == 0x2000 and ether dst 01:00:0c:cc:cc:cc tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:52:32.641609 CDPv2, ttl: 180s, Device-ID 'L2-OA-Edge-006', length 457 ``` ### lldp (link layer discovery protocol), ether type 0x88cc ``` tcpdump ether proto 0x88cc ``` ### tagged vlan traffic ``` tcpdump vlan tcpdump -i <interface name> vlan <tag id> !!! another way to filter by vlan tag and show on screen tcpdump -Uw - | tcpdump -i eth0 -en -r - vlan <vlan id> ``` ### untagged traffic ``` tcpdump not vlan ``` ### DHCP/Boot ``` tcpdump -i <interface name> -vvv -s 0 port bootps ```