Dump traffic on a network with tcpdump

Configuration

• tcpdump : 4.9.3

Main options

• -n : don't convert addresses (disable DNS resolution)
• -X : in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII.
• -S : print absolute, rather than relative, TCP sequence numbers.
• -i : listen on interface, -i any can be used to capture packets from all interfaces
• -XX : same as -X including its link level header
• -v -vv or -vvv : increase verbose output
• -c count : exit after receiving count packets
• -e : print the link level header on each dump line
• -q : Print less protocol information so out‐ put lines are shorter.
• -E : Use spi@ipaddr algo:secret for decrypting IPsec ESP packets.
• -w : write the raw packets to file
• -r : read packets from file
• -s : Snarf snaplen bytes of data from each packet rather than the default of 65535 bytes. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 65535, for back-wards compatibility with recent older versions of tcpdump.

Operators

• and or && :

• or or || :

• not or ! :

• group :

Examples

Main examples

• Only listen a specific host (1.2.3.4)

• src 1.2.3.4 : source address filter
• dst 1.2.3.4 : destination address filter

• protocol filter

• port filter

• ports range filter

• source port filter

• source port filter and port filter

• MAC address :

• Broadcast messages :

• Quit after 50 frames :

Pcap File

• Create a capture file and rotate automatically each 3600 seconds

• Cut a sequence from a pcap file

IPsec traffic

If you tcpdump from the machine which established the ipsec tunnel you won't be able to see decapsulated traffic. You will only see ESP packets. To be able to get decapsulated traffic we will have to use netfilter/iptables with nflog.

• iptables rules :

• Getting traffic :