You are on page 1of 2

tcpdump -i external host 10.66.45.161 or 10.66.45.

162 -w /var/tmp/20151222_1-
external.pcap
[admin@da-fsvp-blb01:Active:In Sync] ~ # tcpdump -s0 -i internal-dmz2 host
66.111.152.73 and host 10.229.184.130 or host 10.229.184.139

tcpdump -i internal host 10.56.3.12

tcpdump -i 1.2 -nn -nn to show the actual port no/IP instead of name

tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap <---to capture traffic on all


interfaces and write the file on folder specified at location given in the command

--the above command will capture only first 96 bytes of the packet but our payload
is big and may not capture this way
so to include the full payload use command :

tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap -s0

and then scp the file to your desktop via below command :s

scp -P 222 BIGIP-11.2.0.2446.0.iso rahul.kumar@216.83.186.57:/home/rahul.kumar

to see arp packets only with full packet size

tcpdump -i 0.0 -s0 arp -nn (-n = dont resolve hostname ,, -nn = don't resolve
hostname or port names)

--if snat is there and you want to capture for client address on all
vlans/interfaces

tcpdump -i 0.0:p host 192.1681.101 -nn -p = peer side of the connection

--To exclude anything from TCPDUMP command is:

tcpdump -i 0.0:p host 192.168.1.92 -c 50 and not tcp port 443 ---c is no of
packets here

tcpdump -vnni 0.0 -s0 -w /var/tmp/F5SR1-3282662452_00.cap tcp port 179 -c 1000

for more info : http://packetlife.net/media/library/12/tcpdump.pdf


https://danielmiessler.com/study/tcpdump/
http://www.informit.com/articles/article.aspx?p=170902&seqNum=4

tcpdump -i eth1c0 -s0 "host 199.169.208.244" - Outside capture


tcpdump -i eth2c0 -s0 "host 199.169.208.244" - Inside capture

outside Checkpoint capture: tcpdump -i eth1c0 -s0 -w outside.pcap "net


199.169.208.240/28 || net 199.169.240.240/28" outside.pcap
inside Checkpoint capture: tcpdump -i eth2c0 -s0 -w inside.pcap "host 172.28.8.10
&& net 199.169.208.240/28 || net 199.169.240.240/28 && host 172.28.8.10"
inside.pcap
[root@msgrogib11:Active:Changes Pending] config # tcpdump -i 2.1 -nn port 8080 |
grep 88.149.202.139 <----with Port

If you have network then : use this :

[root@msgrogib11:Active:Changes Pending] config # tcpdump -i 2.1 -nn '(net


88.149.202)'<---where 88.149.202 is the network part of subnet 88.149.202.x

Find all SYN packets


tcpdump 'tcp[13] & 2 != 0'

Find all RST packets


tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets


tcpdump 'tcp[13] & 16 != 0'

Reason :

U A P R S F

�that corresponds to:

# tcpdump src port 1025 and tcp


# tcpdump udp and src port 53

32 16 8 4 2 1

tcpdump -i eth4c7 -nn -vv -s0 "vlan 108 and host 10.11.108.10 and host
10.11.118.14" <--Always use Vlan in tcpdump if it's there on CP/F5
tcpdump -nn -vv -s0 -i eth-s4p2c0 host 10.232.173.20 and host 10.192.144.129 and
tcp port 9443

tcpdump -ni 0.0 -w /var/tmp/INC1376761.pcap <--to write file to a specific


directory and then use SCP to transfer it to PHLNN7

[root@bigip10:Active:Standalone] config # tcpdump -ni external -X -s0 -c 50 host


10.10.10.30 and host 10.10.10.100 and port 80 (-X (capital) to see output in hex
format)

/home/admin