TCPDUMP how to use it ?

What is tcpdump?

This command is for capturing packets flowing through the network.

Environment for testing

In this case I used two virtual machines on Vagrant. The OS used for both master and node1 was Centos7.

Vagrantfile which we can use for test:

TCP packet collection method

How to collect packets with only SYN flag (= 1)

Packets to collect

Node1:

Install the nc command and tcpdump
[root@node1 vagrant]# yum install nmap-ncat tcpdump

Start the nc process that listens on port 80.
[root@node1 vagrant]# nc -l 80 &
[1] 3560

Check the port number that the nc process is listening on.
[root@node1 vagrant]# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nc 3560 root 3u IPv6 27773 0t0 TCP *:http (LISTEN)
nc 3560 root 4u IPv4 27774 0t0 TCP *:http (LISTEN)

Execute tcpdump. Collect TCP packets with the SYN flag set (★ 1, ★ 2 above)
[root@node1 vagrant]# tcpdump -i eth0 '(tcp[tcpflags] & tcp-syn)' != 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Master:

Install the nc command and tcpdump
[vagrant@master ~]$ yum install nmap-ncat
Send a TCP packet to port 80 of node1 (192.168.123.124).
[root@master vagrant]# nc 192.168.123.124 80 -vv
Ncat: Version 7.50 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /usr/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from /usr/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory
libnsock nsi_new2(): nsi_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.168.123.124:80 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.123.124:80]
Ncat: Connected to 192.168.123.124:80.
libnsock nsi_new2(): nsi_new (IOD #2)
libnsock nsock_read(): Read request from IOD #1 [192.168.123.124:80] (timeout: -1ms) EID 18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
some_text_for_testing
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (22 bytes): some_text_for_testing.
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.123.124:80]
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42

Confirmation of execution result on node1:

Collect packets (★ 1, ★ 2) with only the SYN flag.
[root@node1 vagrant]# tcpdump -i eth0 '(tcp[tcpflags] & tcp-syn)' != 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
some_text_for_testing

How to collect SYN packets (packets with only the SYN flag set)

Node1:

Discard TCP packets destined for port 80.
[root@node1 vagrant]# iptables -A INPUT -p tcp --dport 80 -j DROP

Check the settings.
[root@node1 vagrant]# iptables -nvL INPUT --line-numbers
Chain INPUT (policy ACCEPT 5 packets, 392 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Start the nc process that listens on port 80.
[root@node1 vagrant]# nc -l 80 &
[1] 3609

Check the port number that the nc process is listening on.
[root@node1 vagrant]# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nc 3609 root 3u IPv6 28902 0t0 TCP *:http (LISTEN)
nc 3609 root 4u IPv4 28903 0t0 TCP *:http (LISTEN)

Start tcpdump. Setting to collect only SYN packets.
[root@node1 vagrant]# tcpdump -i eth0 '(tcp[tcpflags] & tcp-syn)' != 0 and '(tcp[tcpflags] & tcp-ack) ==0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Master:

Send a TCP packet to port 80 of node1.
[root@master vagrant]# nc 192.168.123.124 80 -vv
Ncat: Version 7.50 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /usr/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from /usr/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory
libnsock nsi_new2(): nsi_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.168.123.124:80 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT TIMEOUT for EID 8 [192.168.123.124:80]
Ncat: Connection timed out.

[root@master vagrant]#

Clean up (delete iptables definition)

[root@node1 vagrant]# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- anywhere anywhere tcp dpt:http
[root@node1 vagrant]# iptables -D INPUT 1
[root@node1 vagrant]# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
[root@node1 vagrant]#

How to collect FIN packets

[root@node1 vagrant]# tcpdump -i eth0 '(tcp[tcpflags] & tcp-fin)' != 0
-Omitted-
18:46:33.720744 IP master.35582 > node1.http: Flags [F.], seq 635647794, ack 894972442, win 319, options [nop,nop,TS val 4009862 ecr 3088873], length 0
18:46:33.721687 IP node1.http > master.35582: Flags [F.], seq 1, ack 1, win 227, options [nop,nop,TS val 3088875 ecr 4009862], length 0
-Below, omitted-

According to man, the following are available as flags:

  • tcp-fin
  • tcp-syn
  • tcp-rst
  • tcp-push
  • tcp-act
  • tcp-urg
The following is an excerpt from man tcpdump.
Some offsets and field values may be expressed as names rather than as numeric values.
For example tcp[13] may be replaced with tcp[tcpflags].
The following TCP flag field values are also available:
tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-act, tcp-urg.

This can be demonstrated as:
tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'

Note that you should use single quotes or a backslash in the expression
to hide the AND ('&') special character from the shell.

How display the MAC address

[root@node1 vagrant]# tcpdump -e -i eth0 port 80
18:04:41.208201 00:11:22:33:44:55(oui Unknown) > 00:11:22:33:44:55 (oui Unknown), ethertype IPv4 (0x0800), length 74: master.35770 > node1.http: Flags [S], seq 844789185, win 29200, options [mss 1460,sackOK,TS val 5097353 ecr 0,nop,wscale 7], length 0
-Below, omitted-

How to display multicast packets

[root@node1 vagrant]# tcpdump -i eth0 -n multicast
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:45:03.460753 IP 192.168.123.123.mdns > 224.0.0.251.mdns: 0 [1au] PTR (QU)? _sleep-proxy._udp.local. (70)
19:45:03.577732 IP6 fe80::1029:98b2:4512:713b.mdns > ff02::fb.mdns: 0 [1au] PTR (QU)? _sleep-proxy._udp.local. (70)
19:45:04.484650 IP 192.168.123.123.mdns > 224.0.0.251.mdns: 0 [1au] PTR (QM)? _sleep-proxy._udp.local. (70)
19:45:04.486289 IP6 fe80::1029:98b2:4512:713b.mdns > ff02::fb.mdns: 0 [1au] PTR (QM)? _sleep-proxy._udp.local. (70)
19:45:07.101206 ARP, Request who-has 192.168.123.60 tell 192.168.123.6, length 46
19:45:07.556694 IP 192.168.123.123.mdns > 224.0.0.251.mdns: 0 [1au] PTR (QM)? _sleep-proxy._udp.local. (70)
-Below, omitted-

How to display sequence numbers in absolute display instead of relative display (-S)

[root@node1 vagrant]# tcpdump -i eth0 -S port 11111 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:26:33.080764 IP 192.168.123.110.48428 > 192.168.123.100.11111: Flags [S], seq 2964223143, win 29200, options [mss 1460,sackOK,TS val 1278557 ecr 0,nop,wscale 7], length 0
11:26:33.080981 IP 192.168.123.100.11111 > 192.168.123.110.48428: Flags [S.], seq 3868874227, ack 2964223144, win 28960, options [mss 1460,sackOK,TS val 1318048 ecr 1278557,nop,wscale 7], length 0
11:26:33.081787 IP 192.168.123.110.48428 > 192.168.123.100.11111: Flags [.], ack 3868874228, win 229, options [nop,nop,TS val 1278559 ecr 1318048], length 0

How to display concisely (-q)

[root@node1 vagrant]# tcpdump -i eth0 port 80 -q
-Omitted-
19:08:54.904012 IP 192.168.123.123.36554 > 192.168.123.124.http: tcp 0
19:08:54.904207 IP 192.168.123.124.http > 192.168.123.123.36554: tcp 0
19:08:54.904678 IP 192.168.123.123.36554 > 192.168.123.124.http: tcp 0
19:08:54.905582 IP 192.168.123.123.36554 > 192.168.123.124.http: tcp 69
-Below, omitted-

How to display a list of available interfaces (-D)

[root@node1 vagrant]# tcpdump -D
1.eth0
2.cbr0
3.nflog (Linux netfilter log (NFLOG) interface)
4.nfqueue (Linux netfilter queue (NFQUEUE) interface)
5.usbmon1 (USB bus number 1)
6.usbmon2 (USB bus number 2)
7.any (Pseudo-device that captures on all interfaces)
8.lo

How to specify all interfaces (-i any)

If you specify any as the interface, you have specified all interfaces, any means any (Pseudo-device that captures on all interfaces).

Listen on port number 22222.
[root@node1 vagrant]# nc -kl 22222
Open one terminal (referred to as Terminal 2 for convenience). Execute tcpdump. Specify "any" as the interface.
[root@node1 vagrant]# tcpdump -i any port 22222 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Open one more terminal. Establish a TCP connection on port 22222. node1 is the host name.
[root@node1 vagrant]# nc 192.168.123.124 22222
You can see that the execution result of tcpdump is output to the standard output of Terminal 2.
[root@node1 vagrant]# tcpdump -i any port 22222 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:33:57.390145 IP 192.168.123.123.50330 > 192.168.123.123.22222: Flags [S], seq 1061960766, win 43690, options [mss 65495,sackOK,TS val 546666 ecr 0,nop,wscale 6], length 0
13:11:53.442157 IP 192.168.123.123.22222 > 192.168.123.123.50330: Flags [S.], seq 3185839519, ack 1061960767, win 43690, options [mss 65495,sackOK,TS val 546666 ecr 546666,nop,wscale 6], length 0
18:33:57.390245 IP 192.168.123.123.50330 > 192.168.123.123.22222: Flags [.], ack 1, win 683, options [nop,nop,TS val 546666 ecr 546666], length 0
-Below, omitted-

How to specify multiple port numbers

ENV:

Execution result:

Start httpd and chronyd for testing.
[root@node1 vagrant]# systemctl start httpd
[root@node1 vagrant]# systemctl start chronyd
Execute tcpdump.
[root@node1 vagrant]# tcpdump -i eth0 tcp dst port 80 or udp dst port 123 -nn
From here, you can see that the packet whose destination TCP port number is 80 is captured.
19:40:09.350977 IP 192.168.123.124.55996 > 192.168.123.123.80: Flags [S], seq 3461504268, win 29200, options [mss 1460,sackOK,TS val 4294753712 ecr 0,nop,wscale 7], length 0
19:40:09.351719 IP 192.168.123.124.55996 > 192.168.123.123.80: Flags [.], ack 3444255170, win 229, options [nop,nop,TS val 4294753713 ecr 262765], length 0
19:40:09.351735 IP 192.168.123.124.55996 > 192.168.123.123.80: Flags [P.], seq 0:69, ack 1, win 229, options [nop,nop,TS val 4294753713 ecr 262765], length 69
19:40:09.353311 IP 192.168.123.124.55996 > 192.168.123.123.80: Flags [.], ack 245, win 237, options [nop,nop,TS val 4294753714 ecr 262766], length 0
19:40:09.353633 IP 192.168.123.124.55996 > 192.168.123.123.80: Flags [F.], seq 69, ack 245, win 237, options [nop,nop,TS val 4294753715 ecr 262766], length 0
19:40:09.366762 IP 192.168.123.124.55996 > 192.168.123.123.80: Flags [.], ack 246, win 237, options [nop,nop,TS val 4294753717 ecr 262767], length 0
From here, you can see that the packet with the destination UDP port number 123 is being captured.
19:40:41.333550 IP 192.168.123.124.53503 > 147.7.133.26.163: NTPv4, Client, length 48
19:40:43.601143 IP 192.168.123.124.52104 > 110.13.25.232.223: NTPv4, Client, length 48

How to specify a range of port numbers (port range)

You can use port range to specify a range of port numbers. With port range 10000–10010, you can capture packets on ports 10000 to 10010. man has no description of port range. When I was searching the net, I happened to find the following information.

Execution example (when accessing with destination TCP port number 10000)

Execute tcpdump by specifying the port number range (destination TCP port number is 10000-10010).
[root@node1 vagrant]# tcpdump -i eth0 tcp dst portrange 10000-10010 -nn
Start the nc command on the admin server. Specify 10000 as the Listen port number.
[root@node1 vagrant]# nc -l 10000
Execute the nc command on the node1 server.
[root@node1 ~]# nc 192.168.123.124 10000
It can be seen that the packet with the destination TCP port number 10000 (marked with a star) could be captured.
[root@node1 vagrant]# tcpdump -i eth0 tcp dst portrange 10000-10010 -nn
20:02:02.412649 IP 192.168.123.124.36590 > 192.168.123.123.★10000: Flags [S], seq 3934696008, win 29200, options [mss 1460,sackOK,TS val 1099483 ecr 0,nop,wscale 7], length 0
20:02:02.413076 IP 192.168.123.124.36590 > 192.168.123.123.★10000: Flags [.], ack 2120320125, win 229, options [nop,nop,TS val 1099483 ecr 1575826], length 0

Execution example (when accessing with destination TCP port number 10005)

Execute tcpdump by specifying the port number range (destination TCP port number is 10000-10010).
[root@node1 vagrant]# tcpdump -i eth0 tcp dst portrange 10000-10010 -nn
Start the nc command. Specify 10005 as the Listen port number.
[root@node1 vagrant]# nc -l 10005
Execute the nc command on the node1 server.
[root@node1 ~]# nc 192.168.123.124 10005
It can be seen that the packet with the destination TCP port number 10005 (marked with a star) could be captured.
[root@node1 vagrant]# tcpdump -i eth0 tcp dst portrange 10000-10010 -nn
20:05:41.231969 IP 192.168.123.124.34196 > 192.168.123.123.★10005: Flags [S], seq 882864997, win 29200, options [mss 1460,sackOK,TS val 1318301 ecr 0,nop,wscale 7], length 0
20:05:41.234158 IP 192.168.123.124.34196 > 192.168.123.123.★10005: Flags [.], ack 1724908027, win 229, options [nop,nop,TS val 1318304 ecr 1794647], length 0

Limit the packet size to be collected. (-s)

-s128 Limit the packet size to be collected to 128 bytes.
-s0 Do not limit the packet size. For NFS, you need to specify -s0.

Display of elapsed time from the last captured time (-ttt)

[root@node1 vagrant]# tcpdump -ttt -i eth0 port 80
-Omitted-
00:00:00.000000 IP 192.168.123.123.45591 > 192.168.123.124.http: Flags [S], seq 3130128384, win 29200, options [mss 1460,sackOK,TS val 1308684 ecr 0,nop,wscale 7], length 0
00:00:00.000573 IP 192.168.123.124.http > 192.168.123.123.45591: Flags [S.], seq 2731073810, ack 3130128385, win 28960, options [mss 1460,sackOK,TS val 8901 ecr 1308684,nop,wscale 7], length 0
00:00:00.000590 IP 192.168.123.123.45591 > 192.168.123.124.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 1308687 ecr 8901], length 0
-Below, omitted-

Display the time in an easy-to-understand format (-tttt)

[root@node1 vagrant]# tcpdump -tttt -i eth0 port 80
-Omitted-
2020-11-18 20:48:24.601156 IP 192.168.123.123.37570 > 192.168.123.124.http: Flags [S], seq 1753606276, win 29200, options [mss 1460,sackOK,TS val 14920793 ecr 0,nop,wscale 7], length 0
2020-11-18 20:48:24.601327 IP 192.168.123.124.http > 192.168.123.123.37570: Flags [S.], seq 2174856607, ack 1753606277, win 28960, options [mss 1460,sackOK,TS val 13999755 ecr 14920793,nop,wscale 7], length 0
2020-11-18 20:48:24.630309 IP 192.168.123.123.37570 > 192.168.123.124.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 14920796 ecr 13999755], length 0
-Below, omitted-

Display of elapsed time from the first captured time (-ttttt)

[root@node1 vagrant]# tcpdump -ttttt -i eth0 port 80
-Omitted-
00:00:00.000000 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [S], seq 1814350362, win 29200, options [mss 1460,sackOK,TS val 15104880 ecr 0,nop,wscale 7], length 0
00:00:00.000130 IP 192.168.123.124.http > 192.168.123.123.37609: Flags [S.], seq 3384514235, ack 1814350363, win 28960, options [mss 1460,sackOK,TS val 14183842 ecr 15104880,nop,wscale 7], length 0
00:00:00.000503 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 15104880 ecr 14183842], length 0
00:00:00.000827 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [P.], seq 1:70, ack 1, win 229, options [nop,nop,TS val 15104881 ecr 14183842], length 69
00:00:00.000910 IP 192.168.123.124.http > 192.168.123.123.37609: Flags [.], ack 70, win 227, options [nop,nop,TS val 14183843 ecr 15104881], length 0
00:00:00.001818 IP 192.168.123.124.http > 192.168.123.123.37609: Flags [.], seq 1:4345, ack 70, win 227, options [nop,nop,TS val 14183844 ecr 15104881], length 4344
00:00:00.002032 IP 192.168.123.124.http > 192.168.123.123.37609: Flags [P.], seq 4345:5150, ack 70, win 227, options [nop,nop,TS val 14183844 ecr 15104881], length 805
00:00:00.002447 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [.], ack 4345, win 296, options [nop,nop,TS val 15104882 ecr 14183844], length 0
00:00:00.002521 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [.], ack 5150, win 319, options [nop,nop,TS val 15104882 ecr 14183844], length 0
00:00:00.003245 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [F.], seq 70, ack 5150, win 319, options [nop,nop,TS val 15104883 ecr 14183844], length 0
00:00:00.003504 IP 192.168.123.124.http > 192.168.123.123.37609: Flags [F.], seq 5150, ack 71, win 227, options [nop,nop,TS val 14183845 ecr 15104883], length 0
00:00:00.004282 IP 192.168.123.123.37609 > 192.168.123.124.http: Flags [.], ack 5151, win 319, options [nop,nop,TS val 15104884 ecr 14183845], length 0
00:00:12.419958 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [S], seq 3751257265, win 29200, options [mss 1460,sackOK,TS val 15117299 ecr 0,nop,wscale 7], length 0
00:00:12.420080 IP 192.168.123.124.http > 192.168.123.123.37610: Flags [S.], seq 2826492114, ack 3751257266, win 28960, options [mss 1460,sackOK,TS val 14196262 ecr 15117299,nop,wscale 7], length 0
00:00:12.420785 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 15117300 ecr 14196262], length 0
00:00:12.420819 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [P.], seq 1:70, ack 1, win 229, options [nop,nop,TS val 15117300 ecr 14196262], length 69
00:00:12.420867 IP 192.168.123.124.http > 192.168.123.123.37610: Flags [.], ack 70, win 227, options [nop,nop,TS val 14196263 ecr 15117300], length 0
00:00:12.421848 IP 192.168.123.124.http > 192.168.123.123.37610: Flags [.], seq 1:4345, ack 70, win 227, options [nop,nop,TS val 14196263 ecr 15117300], length 4344
00:00:12.422183 IP 192.168.123.124.http > 192.168.123.123.37610: Flags [P.], seq 4345:5150, ack 70, win 227, options [nop,nop,TS val 14196264 ecr 15117300], length 805
00:00:12.422851 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [.], ack 2897, win 274, options [nop,nop,TS val 15117302 ecr 14196263], length 0
00:00:12.422900 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [.], ack 4345, win 296, options [nop,nop,TS val 15117302 ecr 14196263], length 0
00:00:12.422911 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [.], ack 5150, win 319, options [nop,nop,TS val 15117302 ecr 14196264], length 0
00:00:12.423754 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [F.], seq 70, ack 5150, win 319, options [nop,nop,TS val 15117303 ecr 14196264], length 0
00:00:12.842416 IP 192.168.123.124.http > 192.168.123.123.37610: Flags [F.], seq 5150, ack 71, win 227, options [nop,nop,TS val 14196483 ecr 15117303], length 0
00:00:12.843931 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [F.], seq 70, ack 5150, win 319, options [nop,nop,TS val 15117532 ecr 14196264], length 0
00:00:12.843997 IP 192.168.123.124.http > 192.168.123.123.37610: Flags [.], ack 71, win 227, options [nop,nop,TS val 14196686 ecr 15117532,nop,nop,sack 1 {70:71}], length 0
00:00:12.846918 IP 192.168.123.123.37610 > 192.168.123.124.http: Flags [.], ack 5151, win 319, options [nop,nop,TS val 15117725 ecr 14196483], length 0
-Below, omitted-

TCP Dump Promiscuous mode (-p)

Capture the packet on node1 when pinging from master to Router (execute tcpdump). Check the difference between with and without -p,

Draw Schema:

Without -p (in promiscuous mode):

[root@node1 vagrant]# ping -c 1 192.168.123.1Open another terminal and execute tcpdum. You can check the ICMP packet addressed to Route. In other words, you can see that packets other than those addressed to you (node1) are also captured.
[root@node1 ~]# tcpdump -i eth0 icmp
20:15:07.404762 IP 192.168.123.123 > 192.168.123.1: ICMP echo request, id 2395, seq 1, length 64
20:15:07.408709 IP 192.168.123.1 > 192.168.123.123: ICMP echo reply, id 2395, seq 1, length 64

With -p:

[root@node1 vagrant]# ping -c 1 192.168.123.1Open another terminal and execute tcpdum. Since it is not in promiscuous mode, it can be seen that packets destined for others are not captured.
root@node1 ~]# tcpdump -p -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Stay stopped here.

Capture only packets to send (-P out)

Ping.
[root@master vagrant]# ping 192.168.123.1
PING 192.168.123.1 (192.168.123.1) 56(84) bytes of data.
64 bytes from 192.168.123.1: icmp_seq=1 ttl=255 time=1.30 ms
64 bytes from 192.168.123.1: icmp_seq=2 ttl=255 time=2.08 ms
64 bytes from 192.168.123.1: icmp_seq=3 ttl=255 time=1.38 ms
64 bytes from 192.168.123.1: icmp_seq=4 ttl=255 time=1.28 ms
64 bytes from 192.168.123.1: icmp_seq=5 ttl=255 time=2.65 ms
-Below, omitted-
Open another terminal and execute tcpdump. You can see that only ICMP echo requests can be captured (★ mark).
[root@master vagrant]# tcpdump -i eth0 -P out icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:49:30.824851 IP 192.168.123.123 > 192.168.123.1: ★ICMP echo request, id 8383, seq 1, length 64
19:49:31.826870 IP 192.168.123.123 > 192.168.123.1: ★ICMP echo request, id 8383, seq 2, length 64
19:49:32.829000 IP 192.168.123.123 > 192.168.123.1: ★ICMP echo request, id 8383, seq 3, length 64
19:49:33.831066 IP 192.168.123.123 > 192.168.123.1: ★ICMP echo request, id 8383, seq 4, length 64
19:49:34.833142 IP 192.168.123.123 > 192.168.123.1: ★ICMP echo request, id 8383, seq 5, length 64

Capture only incoming packets (-P in)

Ping.
[root@master vagrant]# ping 192.168.123.1
PING 192.168.123.1 (192.168.123.1) 56(84) bytes of data.
64 bytes from 192.168.123.1: icmp_seq=1 ttl=255 time=1.60 ms
64 bytes from 192.168.123.1: icmp_seq=2 ttl=255 time=1.45 ms
64 bytes from 192.168.123.1: icmp_seq=3 ttl=255 time=0.957 ms
64 bytes from 192.168.123.1: icmp_seq=4 ttl=255 time=1.24 ms
Open another terminal and execute tcpdump. You can see that only ICMP echo reply can be captured (★ mark).
[root@master vagrant]# tcpdump -i eth0 -P in icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:52:01.518368 IP 192.168.123.1 > 192.168.123.123: ★ICMP echo reply, id 8389, seq 1, length 64
19:52:02.523845 IP 192.168.123.1 > 192.168.123.123: ★ICMP echo reply, id 8389, seq 2, length 64
19:52:03.533297 IP 192.168.123.1 > 192.168.123.123: ★ICMP echo reply, id 8389, seq 3, length 64
19:52:04.536053 IP 192.168.123.1 > 192.168.123.123: ★ICMP echo reply, id 8389, seq 4, length 64
19:52:05.545274 IP 192.168.123.1 > 192.168.123.123: ★ICMP echo reply, id 8389, seq 5, length 64

How to collect only SYN packets

[root@master vagrant]# tcpdump -r test.cap '(tcp[tcpflags] & tcp-syn)' != 0 and '(tcp[tcpflags] & tcp-ack)' ==0

How to collect only SYN, SYN + ACK packets

[root@master vagrant]# tcpdump -r tests.cap '(tcp[tcpflags] & tcp-syn)' != 0

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store