Using tcpdump

Some examples of using tcpdump.

Show all packets received from host 123.123.123.123
tcpdump -r $i src host 123.123.123.123

Show all TCP packets received from host 123.123.123.123 except the RCP RESET packets
tcpdump -r $i src host 123.123.123.123 and tcp[tcpflags] & tcp-rst==0

Show all UDP packets received from host 123.123.123.123
tcpdump -r $i src host 123.123.123.123 and udp

Show all ICMP packets received from host 123.123.123.123
tcpdump -r $i src host 123.123.123.123 and icmp

Extract the TTL value from the packets received from host 123.123.123.123
tcpdump -vvv -r $i src host 123.123.123.123 | grep -o "ttl [[:digit:]]*," | sort | uniq

When replaying a series of stored packets, tcpdump will write the name of the replayed file to error output. To ignore this output, redirect the error output (or output stream 2) to /dev/null:
for i in *.dump; do tcpdump -r $i 2> /dev/null; done

For a sample of IP addresses specified in a file called input.txt, replay the stored packets and count how many ICMP packets were received from which host. This is ideal to see whether hosts responded to ICMP packets.
while read ip; do echo -n "$ip : "; for i in *.dump; do tcpdump -r $i src host $ip and icmp 2> /dev/null; done | wc -l; done < input.txt

Tags: 

You might also be interested in...