Just a quick put together of some basic tcpdump commands.
In this post I will be targeting a .pcap file. However, these commands can be used for live capture
See all packets in the capture file
windump -n -r filename.pcap
Show only the first 2 packets
windump -n -r flename.pcap -c 2
Tracking host by source MAC address
windump -n -r filename.pcap -e "ether src 00:a0:cc:3b:bf:fa"
Tracking host by destination MAC address
windump -n -r filename.pcap -e "ether dst 00:a0:cc:3b:bf:fa"
Tracking host by IP, whether that IP is source or destination
windump -n -r filename.pcap "host 192.168.0.1"
Track host by source IP
windump -n -r filename.pcap "src host 192.168.0.1"
Track host by destination IP
windump -n -r filename.pcap "dst host 192.168.0.1"
Track port even if it is the source or destination
windump -n -r filename.pcap "port 1254"
Tracking a source port
windump -n -r filename.pcap "src port 1254"
Track a destination port
windump -n -r filename.pcap "dst port 1254"
Tracking a UDP specific UDP port
windump -n -r filename.pcap "udp port 1254"
Tracking a specific source UDP port
windump -n -r filename.pcap "udp src port 1254"
Tracking a specific destination udp port
windump -n -r filename.pcap "udp dst port 1254"
Capturing all ARP
windump -n -r filename.pcap "arp"
Capturing all IP packets
windump -n -r filename.pcap "ip"
Capturing all UDP packets
windump -n -r filename.pcap "udp"
Capturing all ICMP packets
windump -n -r filename.pcap "icmp"
Capturing all ICMP packets
windump -n -r filename.pcap "tcp"
References
http://www.tcpdump.org/tcpdump_man.html
Additional Materials
https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/
I guess
ReplyDeletewindump -n -r filename.pcap "tcp" - capturing all TCP packets
the "-r" option causes windump to read packets from a file rather than do a live capture. The "tcp" option tells it to only read TCP packets from the file.
DeleteHope this helps.
The explanation is pretty good. Now I got the basics, thanks!
ReplyDeleteHey Clayton, glad you found it helpful. Much appreciate the feedback.
DeleteOK, this is not working, I am trying to capture traffic from a specific port to a .pcap file, But i keep getting a syntax error??? I have tried
ReplyDeletewindump -i 1 port 43536 -q -w C:\blablabla\Bla -n -C 30 -W 50 -U -s 0, Also tired to put port in brckts, also added dst to port, but no luck, keep getting a syntax error???? This is on a win 7 machine.
OH, if i remove the port part completely it works, but I only want to log that port, not all traffic.
DeleteHello Unknown,
DeleteI'm not running Windump anymore. I don't believe the tool runs on Windows 10. Let me know if I'm wrong. However, that command should work as I tried to running it on Linux modifying the "-w" argument to "/tmp/test.pcap" and it works on Linux. Really not sure what is the issue with your syntax.