Viewing all IP packets
tshark -n -r filename.pcap -Y "ip"
Viewing all TCP packets
tshark -n -r filename.pcap -Y "tcp"
Viewing protocol hierarchy
tshark -n -r filename.pcap -z io,phs -q
View all IP endpoints
tshark -n -r filename.pcap -z endpoints,ip -q
View all TCP endpoints
tshark -n -r filename.pcap -z endpoints,tcp -q
View IP conversations
tshark -n -r filename.pcap -z conv,ip -q
View TCP conversations
tshark -n -r filename.pcap -z conv,tcp -q
Show tabular view with field headers
tshark -n -r filename.pcap -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.flags -E header=y
Verify that the first two bytes of the IP header is 0x4500
tshark -n -r filename.pcap -x "ip[0:2] == 45:00"
Source IP is 192.168.0.2
tshark -n -r filename.pcap -x "ip[12:4] == c0:a8:00:02"
destination IP is 192.168.0.1
tshark -n -r filename.pcap -x "ip[16:4] == c0:a8:00:01"
Show IPv4 Destinations/Statistics and Ports
tshark -n -r filename.pcap -z dests,tree -q
Follow TCP stream
tshark -n -r filename.pcap -z follow,tcp,ascii,0 -q
Verify IP verion is 4windump -nvv -r filename.pcap -X "ip[0] & 0xF0 = 0x40"
Verify IP header has no options. That is the IP header is 20 bytes
windump -nvv -r filename.pcap -X "ip[0] & 0x0F = 0x5"
Verify that IP protocl is ICMP
windump -nvv -r filename.pcap -X "ip[9] = 0x01"
Verify that IP protocol is UDP
windump -nvv -r filename.pcap -X "ip[9] = 0x11"
Verify that IP protocol is TCP
windump -nvv -r filename.pcap -X "ip[9] = 0x06"
Determine time to live is less than 128
windump -nvv -r filename.pcap -X "ip[8] < 128"
Tracking IP packets with More Fragments flag set
windump -nvv -r filename.pcap -X ip[6] = 0x20
Verifying that source IP is 10.0.0.6
windump -nvv -r filename.pcap -X "ip[12] = 0x0a && ip[13] = 0x00 && ip[14] = 0x00 && ip[15] = 0x06"
Verifying that destination IP is 151.164.1.8
windump -nvv -r filename.pcap -X "ip[16] = 0x97 && ip[17] = 0xa4 && ip[18] = 0x01 && ip[19] = 0x08"
All traffic from tcp source port = 23
windump -nn -r filename.pcap -X "tcp[0:2] = 23"
All traffic from tcp dst port 1254
windump -nn -r filename.pcap -X "tcp[2:2] = 1254"
All packets with SYN flag set
windump -nn -r filename.pcap -X "tcp[13] = 0x02"
All packets with SYN/ACK flags set
windump -nn -r filename.pcap -X "tcp[13] = 0x12
All packets with FIN flag set
windump -nn -r filename.pcap "tcp[13] & 0x01 = 0x01"
Looks for TCP packets with header length greater than 20 bytes
windump -nn -r filename.pcap "tcp[12] & 0xF0 > 0x50"
Look for packets with the PUSH flag set
windump -nn -r filename.pcap "tcp[13] & 0x08 = 0x08"
References
http://www.tcpdump.org/tcpdump_man.html
Additional Materials
https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/
Just a quick put together of some basic tcpdump commands.
In this post I will be targeting a .pcap file. However, these commands can be used for live capture
See all packets in the capture file
windump -n -r filename.pcap
Show only the first 2 packets
windump -n -r flename.pcap -c 2
Tracking host by source MAC address
windump -n -r filename.pcap -e "ether src 00:a0:cc:3b:bf:fa"
Tracking host by destination MAC address
windump -n -r filename.pcap -e "ether dst 00:a0:cc:3b:bf:fa"
Tracking host by IP, whether that IP is source or destination
windump -n -r filename.pcap "host 192.168.0.1"
Track host by source IP
windump -n -r filename.pcap "src host 192.168.0.1"
Track host by destination IP
windump -n -r filename.pcap "dst host 192.168.0.1"
Track port even if it is the source or destination
windump -n -r filename.pcap "port 1254"
Tracking a source port
windump -n -r filename.pcap "src port 1254"
Track a destination port
windump -n -r filename.pcap "dst port 1254"
Tracking a UDP specific UDP port
windump -n -r filename.pcap "udp port 1254"
Tracking a specific source UDP port
windump -n -r filename.pcap "udp src port 1254"
Tracking a specific destination udp port
windump -n -r filename.pcap "udp dst port 1254"
Capturing all ARP
windump -n -r filename.pcap "arp"
Capturing all IP packets
windump -n -r filename.pcap "ip"
Capturing all UDP packets
windump -n -r filename.pcap "udp"
Capturing all ICMP packets
windump -n -r filename.pcap "icmp"
Capturing all ICMP packets
windump -n -r filename.pcap "tcp"
References
http://www.tcpdump.org/tcpdump_man.html
Additional Materials
https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/