TCP Dump advance guide

Recently, I published a blog post on the basics of TCP dump. In this blog, I plan to delve into advanced commands and techniques of TCP dump.

TCP Dump is a powerful network packet analyzer tool that is widely used for network troubleshooting, security analysis, and performance optimization. In this article, we will discuss some advanced commands of TCP Dump that can help you in your network analysis.

1. Displaying Packets in ASCII: To display packets in ASCII format, use the following command

tcpdump -A

This option is useful when you want to analyze the payload of the packets.

2. Displaying Packets in HEX: To display packets in HEX format, use the following command

tcpdump -X

This option is useful when you want to analyze the packet structure and content in detail.

3. Displaying Packets in Verbose Mode: To display packets in verbose mode, use the following command

tcpdump -vv

This option provides more detailed information about the packets, including timestamps, packet lengths, and checksum information.

4. Displaying Packets with Timestamp: To display packets with timestamps, use the following command

tcpdump -tttt

This option displays the packets with a high-resolution timestamp, which can be useful for network performance analysis.

5. Displaying Packets with Count: To display a specific number of packets and then stop, use the following command

tcpdump -c <count>

where, count is the number of packets to display.

6. Displaying Packets with Limit: To display packets until a specific number of bytes are captured, use the following command

tcpdump -s <limit>

where, limit is the number of bytes to capture.

7. Displaying Packets with TCP Flags: To display packets with specific TCP flags, use the following command

tcpdump 'tcp[tcpflags] & (tcp-fin | tcp-syn | tcp-rst | tcp-push | tcp-ack | tcp-urg) != 0'

This option displays only the packets with the specified TCP flags.

8. Displaying Packets with IP Address and Port Filter: To display packets with an IP address and port filter, use the following command

tcpdump 'src host <ip address> and src port <port number> or dst host <ip address> and dst port <port number>'

where, src host and dst host specify the source and destination IP address, respectively, and src port and dst port specify the source and destination port, respectively.

These are some advanced commands of TCP Dump that can help you in your network analysis. With these commands, you can capture and analyze packets in detail, and find the root cause of network problems. It is important to note that these commands may vary depending on the operating system you are using.