https://hackertarget.com/tcpdump-examples/
http://openmaniak.com/fr/tcpdump.php
Berkeley format on SSR: SSR packet capture pcap on Device interface and session capture
| commands | |||||||
|---|---|---|---|---|---|---|---|
List Interfaces: | sudo tcpdump -D | ||||||
DHCP traffic: | sudo tcpdump -i eth1 -vvv port bootps | ||||||
DNS traffic: | sudo tcpdump -vvv -s 0 -l -n port 53 | ||||||
TFTP: | sudo tcpdump -i eth1 port 69 | ||||||
FTP traffic | tcpdump -i eth0 "port ftp or port ftp-data" | ||||||
| icmp / ping | tcpdump -i eth1-n icmp | ||||||
| multicast | | ||||||
| mpls or ipv6 | tcpdump -i eth1 -vvv mpls ( or ipv6 ) | ||||||
| vlan | | ||||||
Host traffic, source OR dest IP@: | sudo tcpdump -i ens33 port not 22 and host 192.168.0.16 | or hostname | |||||
| sudo tcpdump -i ens3 port 930 and host 172.20.8.20 | SSR IPC | Exclude SSH session:sudo tcpdump -i eth2 port not 22 | "and port not 53" | FTP traffic | tcpdump -i eth0 "port ftp or port ftp-data" | ||
src and dst IP@ | tcpdump 'src 192.168.0.211 or dst 192.168.0.211' | ||||||
Exclude SSH session: | sudo tcpdump | icmp / ping | tcpdump -i eth1-n icmp-i eth2 port not 22 | "and port not 53" | |||
| BGP | sudo tcpdump -i eth2 port 179 | ||||||
| write / save to txt file | tcpdump -i virbr0 > virbr0_dhcp.txt | redirect the output | |||||
| save to wireshark file / binary | tcpdump -i virbr0 -w virbr0_dhcp.pcap | ||||||
| read a file | tcpdump -r traffic.pcap | ||||||
| tcpdump on SSR | |||||||
| Any SSH traffic on any interface | sudo tcpdump -n -i any -v 'ip[1] & 0xfc == 0x10' and port 22 | ip[1]??? | |||||
...