tcpdump - standard Unix tool for analyzing network packets

(Up-to-date source of this post.)

  • despite its name it can do much more than capturing TCP headers
  • can sniff traffic on many network types (including 802.1Q VLAN)
  • de facto standard for command line packet analysis in Unix environment

Useful options:

-D -- list available interfaces

-i INTERFACE -- listen on INTERFACE (default: lowest numbered interface)

-w FILE -- write raw packets to FILE

-r FILE -- read packets from FILE

-nn -- turn off host and protocol name resolution (to avoid generating DNS packets)

-s0 -- set snaplength to 0, i.e. read the whole packet not just first 68 bytes (default if version >= 4.0)

-t -- turn off timestamp entries

-c COUNT -- capture COUNT packets and stop


tcpdump -nni eth1 -w packets.pcap
tcpdump -nnr packets.pcap

Output format will vary based upon what protocols are in use:

  • TCP

    timestamp L3_protocol sIP.sPort > dIP.dPort: TCP_flags,
    TCP_sequence_number, TCP_acknowledgement_number, TCP_windows_size,
  • UDP

    timestamp L3_protocol sIP.sPort > dIP.dPort: L4_protocol, data_length
  • use up to -vvv to provide more information on headers

  • use -x to get entire packets (including data not just headers) in hex format
  • use -A to get entire packets in hex and ASCII format
  • use -X to get entire packets in hex and ASCII format

Packet Filtering

  • utilizes the Berkeley Packet Filter (BPF) format
  • added to the end of the command (recommended to use single quotes)

    tcpdump -nnr packets.pcap 'tcp dst port 8080' -w packets_tcp8080.pcap
    tcpdump -nnr packets.pcap -F known_good_hosts.bpf


 primitive   |      primitive
     |       |         |
+---------+  | +----------------+
|         |  | |                |
udp port 53 && dst host
 |        |
 |        value


  • host
  • net - network in CIDR notation
  • port
  • src - communication source
  • dst - communication destination
  • ip - IP protocol
  • tcp - TCP protocol
  • upd - UPP protocol

Logical operators

  • && - true when both conditions are true
  • || - true when either condition is true
  • ! - true when a condition is NOT met


  • host - match traffic to/from
  • dst host 2001:db8:85a3::8a2e:370:7334 - match traffic to the IPv6 address
  • ether host 00:50:56:98:60:92 - match traffic to the specified MAC address
  • !port 22 - match any traffic not to/from port 22
  • icmp - match all ICMP traffic
  • !ip6 - match everything that is not IPv6


  • Applied Network Security Monitoring


Common Vagrant Tasks

(Up-to-date source of this post.)

Search and add a box (virtual machine image):

vagrant box add https://atlas.hashicorp.com/ubuntu/boxes/trusty64
  • added box is global to the vagrant install
  • this is the base box (used to start the VM from the clean state)
  • base boxes are stored in ~/.vagrant.d/boxes

Initialize vagrant environment:

mkdir ubuntu-trusty64
cd ubuntu-trusty64
vagrant init ubuntu/trusty64
  • Vagrantfile is created

Start vagrant environment:

vagrant up
  • vagrant "imports" (copies) the base box to provider specific location (ex. ~/.VirtualBox)

Check box(es) status:

vagrant status

Check box(es) SSH configuration:

vagrant ssh-config

Ssh to a box:

vagrant ssh

Clean up:

# save VM's state; fastest to start again; eats most diskspace (hard disk + saved state of RAM)
vagrant suspend

# graceful shutdown; slower to start again, still eats disk space (hard disk)
vagrant halt

# power down and remove all of the guest hard disks; even slower to
# start again (reimport of the base box and reprovisioning)
vagrant destroy

Show status of all vagrant environments on the host (independent of the directory you're in):

vagrant global-status [--prune]

To share a folder from the host on the guest, add following to Vagrantfile:

config.vm.synced_folder "../../eset-repos", "/shared/eset-repos",
  owner: "jreisinger", group: "jreisinger"


  • https://docs.vagrantup.com
  • https://sysadmincasts.com/episodes/4-vagrant
  • http://docs-v1.vagrantup.com/v1/docs/