Your shopping cart is empty.

Wireshark and tcpdump

Wireshark and tcpdump are extremely powerful network troubleshooting tools. Here are some command examples that may be useful.

Wireshark Display Filters

Show all ARP:
arp
Show ARP from a specific MAC:
arp.src.hw_mac == 00:16:D3:4A:CE:7D
Show all traffic to a specific IP:
ip.src == 10.14.1.16
Show all traffic to/from a specific IP:
ip.addr == 10.14.1.16
Show only SYN packets:
tcp.flags.syn
Show all web traffic:
tcp.port == 80
Capture agent specific traffic
udp.port == 11168 or udp.port == 11168 or udp.port == 11688 or tcp.port == 11698

Wireshark Capture Filters

Capture just audit traffic
tcp port 11698
Capture only from a single MAC
ether host 00:16:D3:4A:CE:7D
Capture agent specific traffic
udp port 11168 or udp port 11168 or udp port 11688 or tcp port 11698
Capture only traffic to/from 1.2.3.4
host 1.2.3.4
Capture only web traffic to/from 1.2.3.4
host 1.2.3.4 and tcp port 80

tcpdump Capture Filters

See all SSH traffic not from designated host:
tcpdump -n port 22 and not host 216.58.41.139
See all audit traffic for one endpoint:
tcpdump -n -i any port 11698 and host 156.99.137.37
Capture 4096 bytes of HTTP traffic to/from 10.100.0.1, decode it as much as possible, and save it to /tmp/http.cap
tcpdump -X -vv -s 4096 -w /tmp/http.cap host 10.100.0.1 and port 80
Look for reporter traffic
/usr/sbin/tcpdump -n udp port 11688