You are on page 1of 2

tcpdump -i external host or 10.66.45.

162 -w /var/tmp/20151222_1-
[admin@da-fsvp-blb01:Active:In Sync] ~ # tcpdump -s0 -i internal-dmz2 host and host or host

tcpdump -i internal host

tcpdump -i 1.2 -nn -nn to show the actual port no/IP instead of name

tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap <---to capture traffic on all

interfaces and write the file on folder specified at location given in the command

--the above command will capture only first 96 bytes of the packet but our payload
is big and may not capture this way
so to include the full payload use command :

tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap -s0

and then scp the file to your desktop via below command :s

scp -P 222 BIGIP- rahul.kumar@

to see arp packets only with full packet size

tcpdump -i 0.0 -s0 arp -nn (-n = dont resolve hostname ,, -nn = don't resolve
hostname or port names)

--if snat is there and you want to capture for client address on all

tcpdump -i 0.0:p host 192.1681.101 -nn -p = peer side of the connection

--To exclude anything from TCPDUMP command is:

tcpdump -i 0.0:p host -c 50 and not tcp port 443 ---c is no of
packets here

tcpdump -vnni 0.0 -s0 -w /var/tmp/F5SR1-3282662452_00.cap tcp port 179 -c 1000

for more info :

tcpdump -i eth1c0 -s0 "host" - Outside capture

tcpdump -i eth2c0 -s0 "host" - Inside capture

outside Checkpoint capture: tcpdump -i eth1c0 -s0 -w outside.pcap "net || net" outside.pcap
inside Checkpoint capture: tcpdump -i eth2c0 -s0 -w inside.pcap "host
&& net || net && host"
[root@msgrogib11:Active:Changes Pending] config # tcpdump -i 2.1 -nn port 8080 |
grep <----with Port

If you have network then : use this :

[root@msgrogib11:Active:Changes Pending] config # tcpdump -i 2.1 -nn '(net

88.149.202)'<---where 88.149.202 is the network part of subnet 88.149.202.x

Find all SYN packets

tcpdump 'tcp[13] & 2 != 0'

Find all RST packets

tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets

tcpdump 'tcp[13] & 16 != 0'

Reason :


�that corresponds to:

# tcpdump src port 1025 and tcp

# tcpdump udp and src port 53

32 16 8 4 2 1

tcpdump -i eth4c7 -nn -vv -s0 "vlan 108 and host and host" <--Always use Vlan in tcpdump if it's there on CP/F5
tcpdump -nn -vv -s0 -i eth-s4p2c0 host and host and
tcp port 9443

tcpdump -ni 0.0 -w /var/tmp/INC1376761.pcap <--to write file to a specific

directory and then use SCP to transfer it to PHLNN7

[root@bigip10:Active:Standalone] config # tcpdump -ni external -X -s0 -c 50 host and host and port 80 (-X (capital) to see output in hex