Your shopping cart is empty.

Wireshark and tcpdump

Wireshark and tcpdump are extremely powerful network troubleshooting tools. Here are some command examples that may be useful.

Wireshark Display Filters

Show all ARP:
Show ARP from a specific MAC:
arp.src.hw_mac == 00:16:D3:4A:CE:7D
Show all traffic to a specific IP:
ip.src ==
Show all traffic to/from a specific IP:
ip.addr ==
Show only SYN packets:
Show all web traffic:
tcp.port == 80
Capture agent specific traffic
udp.port == 11168 or udp.port == 11168 or udp.port == 11688 or tcp.port == 11698

Wireshark Capture Filters

Capture just audit traffic
tcp port 11698
Capture only from a single MAC
ether host 00:16:D3:4A:CE:7D
Capture agent specific traffic
udp port 11168 or udp port 11168 or udp port 11688 or tcp port 11698
Capture only traffic to/from
Capture only web traffic to/from
host and tcp port 80

tcpdump Capture Filters

See all SSH traffic not from designated host:
tcpdump -n port 22 and not host
See all audit traffic for one endpoint:
tcpdump -n -i any port 11698 and host
Capture 4096 bytes of HTTP traffic to/from, decode it as much as possible, and save it to /tmp/http.cap
tcpdump -X -vv -s 4096 -w /tmp/http.cap host and port 80
Look for reporter traffic
/usr/sbin/tcpdump -n udp port 11688