tcpdump examples

Capture packets with host 20.20.20.20 and port 110 and write to file:

tcpdump -n 'host 20.20.20.20 and port 110' -w /tmp/capture.pcap

Capture ICMP ping requests

tcpdump -nni eth0 -e icmp[icmptype] == 8

Capture ICMP ping replies

tcpdump -nni eth0 -e icmp[icmptype] == 0

Capture packets with DSCP tags

tcpdump -nni eth1 -v 'ip[1] & 0xfc == 184'

Dump HTTP traffic in ASCII and HEX format

tcpdump -nni eth0 -s0 -AX -l port 80

Grab the user agent from the http header on port 9999

tcpdump -A -l -vvvs 1024 -npi eth0 port 9999

Show IP addresses in pcap file:

tcpdump -n -r capture.pcap | awk -F" " '{print $3}' | sort -u | head

Filter by source, destination or port:

tcpdump -n src host 10.10.10.10
tcpdump -n dst host 20.20.20.20
tcpdump -n port 80

Read pcap file in hex format:

tcpdump -nX -r capture.pcap

TCP flags are defined in the 14th byte and to filter flags, convert binary to decimal:
CRW  ECE  URG  ACK  PSH  RST  SYN  FIN
0        0       0       1       1       0       0       0     = 24 in decimal
So, decimal value of 24 will capture only ACK and PSH flagged packets

tcpdump -A -n 'tcp[13] = 24' -r capture.pcap