TCPDUMP Tips

[root@Syslog_Trial ~]# tcpdump -i ens160 -n | grep 10.10.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes

21:05:18.475471 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 74
21:05:18.475658 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 80
21:05:18.475926 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 114
21:05:18.476223 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 65
21:05:18.476562 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 74
21:05:18.476797 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 80
21:05:18.477045 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 116

 

# tcpdump -q \( dst net 1.2.3.0/24 or 1.2.4.0/25 \) and dst port 80
; ??? ??? 1.2.3.x/24 ? 1.2.4.x/25 ?? 80???? ?? ??

– # tcpdump host A
; A ????/??? ?? ??/?? ?? ??

 

– # tcpdump host A and \( B or C \)
; A ???? B ?? C ??? ?? ??? ??

 

– # tcpdump ip host A and not B
; A???? B? ??? ??? ?? ?? IP ?? ??

 

– # tcpdump net ucb-ether
; ?????? Berkeley? ???? ?? ?? ??? ??

 

– # tcpdump ‘gateway A and (port ftp or ftp-data)’
; ????? A? ?? ?? ftp ??? ??

 

– # tcpdump ip and not net
; ???????/??? ?? ?? ??? ??

 

– # tcpdump ‘tcp[13] & 3 != 0 and not src and dst net ‘
; ??????? ?? TCP ??? ??? ?? ??

 

– # tcpdump ‘gateway A and ip[2:2] > 576’
; ????? A? ?? ???? 576 Bytes?? ? IP ?? ??

 

– # tcpdump ‘ether[0] & 1 = 0 and ip[16] >= 224’
; ???? ?? IP ??? ?? ?? ??? ?? ??

 

– # tcpdump ‘icmp[0] != 8 and icmp[0] != 0’
; echo ??/??? ?? ?? ICMP ?? ?? (ping ?? ??)

 

– # tcpdump src net 1.2.3 or 1.2.4 and not dst net 1.2.3 or 1.2.4
; 1.2.3 ? 1.2.4 IP?? (??) ??? ??? ?? ?? ??

 

– # tcpdump -i br1
; br1 ?????? ?? ?? ??