Tuesday, December 8, 2015

Windump basics by examples

Just a quick put together of some basic tcpdump commands.

In this post I will be targeting a .pcap file. However, these commands can be used for live capture

See all packets in the capture file
windump -n -r filename.pcap

Show only the first 2 packets
windump -n -r flename.pcap -c 2

Tracking host by source MAC address
windump -n -r filename.pcap -e "ether src 00:a0:cc:3b:bf:fa"

Tracking host by destination MAC address
windump -n -r filename.pcap -e "ether dst 00:a0:cc:3b:bf:fa"

Tracking host by IP, whether that IP is source or destination
windump -n -r filename.pcap "host 192.168.0.1"

Track host by source IP
windump -n -r filename.pcap "src host 192.168.0.1"

Track host by destination IP
windump -n -r filename.pcap "dst host 192.168.0.1"

Track port even if it is the source or destination
windump -n -r filename.pcap "port 1254"

Tracking a source port
windump -n -r filename.pcap "src port 1254"

Track a destination port
windump -n -r filename.pcap "dst port 1254"

Tracking a UDP specific UDP port
windump -n -r filename.pcap "udp port 1254"

Tracking a specific source UDP port
windump -n -r filename.pcap "udp src port 1254"

Tracking a specific destination udp port
windump -n -r filename.pcap "udp dst port 1254"

Capturing all ARP
windump -n -r filename.pcap "arp"

Capturing all IP packets
windump -n -r filename.pcap "ip"

Capturing all UDP packets
windump -n -r filename.pcap "udp"

Capturing all ICMP packets
windump -n -r filename.pcap "icmp"

Capturing all ICMP packets
windump -n -r filename.pcap "tcp"



References

http://www.tcpdump.org/tcpdump_man.html


Additional Materials
https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/

8 comments:

  1. 192.168.0.1 is the address of an array of D-Link and Netgear model routers, similar to 192.168.1.1

    ReplyDelete
  2. Harikrishna ChintamareddyApril 8, 2018 at 9:13 PM

    I guess
    windump -n -r filename.pcap "tcp" - capturing all TCP packets

    ReplyDelete
    Replies
    1. the "-r" option causes windump to read packets from a file rather than do a live capture. The "tcp" option tells it to only read TCP packets from the file.

      Hope this helps.

      Delete
  3. The explanation is pretty good. Now I got the basics, thanks!

    ReplyDelete
    Replies
    1. Hey Clayton, glad you found it helpful. Much appreciate the feedback.

      Delete
  4. OK, this is not working, I am trying to capture traffic from a specific port to a .pcap file, But i keep getting a syntax error??? I have tried
    windump -i 1 port 43536 -q -w C:\blablabla\Bla -n -C 30 -W 50 -U -s 0, Also tired to put port in brckts, also added dst to port, but no luck, keep getting a syntax error???? This is on a win 7 machine.

    ReplyDelete
    Replies
    1. OH, if i remove the port part completely it works, but I only want to log that port, not all traffic.

      Delete
    2. Hello Unknown,
      I'm not running Windump anymore. I don't believe the tool runs on Windows 10. Let me know if I'm wrong. However, that command should work as I tried to running it on Linux modifying the "-w" argument to "/tmp/test.pcap" and it works on Linux. Really not sure what is the issue with your syntax.

      Delete