Tuesday, December 8, 2015

Windump basics by examples

Just a quick put together of some basic tcpdump commands.

In this post I will be targeting a .pcap file. However, these commands can be used for live capture

See all packets in the capture file
windump -n -r filename.pcap

Show only the first 2 packets
windump -n -r flename.pcap -c 2

Tracking host by source MAC address
windump -n -r filename.pcap -e "ether src 00:a0:cc:3b:bf:fa"

Tracking host by destination MAC address
windump -n -r filename.pcap -e "ether dst 00:a0:cc:3b:bf:fa"

Tracking host by IP, whether that IP is source or destination
windump -n -r filename.pcap "host 192.168.0.1"

Track host by source IP
windump -n -r filename.pcap "src host 192.168.0.1"

Track host by destination IP
windump -n -r filename.pcap "dst host 192.168.0.1"

Track port even if it is the source or destination
windump -n -r filename.pcap "port 1254"

Tracking a source port
windump -n -r filename.pcap "src port 1254"

Track a destination port
windump -n -r filename.pcap "dst port 1254"

Tracking a UDP specific UDP port
windump -n -r filename.pcap "udp port 1254"

Tracking a specific source UDP port
windump -n -r filename.pcap "udp src port 1254"

Tracking a specific destination udp port
windump -n -r filename.pcap "udp dst port 1254"

Capturing all ARP
windump -n -r filename.pcap "arp"

Capturing all IP packets
windump -n -r filename.pcap "ip"

Capturing all UDP packets
windump -n -r filename.pcap "udp"

Capturing all ICMP packets
windump -n -r filename.pcap "icmp"

Capturing all ICMP packets
windump -n -r filename.pcap "tcp"



References

http://www.tcpdump.org/tcpdump_man.html

4 comments:

  1. 192.168.0.1 is the address of an array of D-Link and Netgear model routers, similar to 192.168.1.1

    ReplyDelete
  2. Harikrishna ChintamareddyApril 8, 2018 at 9:13 PM

    I guess
    windump -n -r filename.pcap "tcp" - capturing all TCP packets

    ReplyDelete
    Replies
    1. the "-r" option causes windump to read packets from a file rather than do a live capture. The "tcp" option tells it to only read TCP packets from the file.

      Hope this helps.

      Delete
  3. Your home network likely uses the addresses 192.168.1.xxx. This is also the range that most of the devices I'm testing will use as their initial defaults, Click here for Link 

    ReplyDelete