tcpdump cheat sheet

Packet structure

TCP

The TCP flags are in tcp[13]: ACK = 0x10, RST = 0x04, SYN = 0x02, FIN = 0x01.

ICMP

The ICMP type is in icmp[0]. Useful types are 0 (echo response), 3 (destination unreachable), 8 (echo request) and 11 (time exceeded).

IPv6

Since tcpdump does not fully decode IPv6, we must do it ourselves. The transport layer protocol number is in the ip6[6] (“next header”) field: ICMP = 0x01, TCP = 0x06, UDP = 0x11. The IPv6 header is 40 bytes, assuming no extension headers, so tcp[13] maps to ip6[53] and icmp[0] maps to ip6[40].

Recipes

Rejected traffic

Capture RST and ICMP Destination Unreachable packets, useful when debugging a firewall to see what it rejects:

((tcp[13] & 4 == 4) || (ip6[6] == 6 && ip6[53] & 4 == 4) || (icmp[0] == 3) || (icmp6 && ip6[40] == 1))

Successful TCP handshakes

Capture SYN+ACK packets to monitor successful TCP handshakes:

((tcp[13] & 0x12 == 0x12) || (ip6[6] == 6 && ip6[53] & 0x12 == 0x12))

TCP termination

Capture FIN+ACK packets to monitor TCP session terminations:

((tcp[13] & 0x11 == 0x11) || (ip6[6] == 6 && ip6[53] & 0x11 == 0x11))

Note: it is technically possible for only one end to send FIN (without ACK) and for the other to keep transmitting, or for either end to send FIN and ACK separately. In practice, a TCP connection nearly always ends with FIN, FIN+ACK, ACK.

IPv6 neighbor and router discovery

Capture ICMP6 neighbor solicitation / advertisement packets (135, 136) and ICMP6 router solicitation / advertisement / redirect packets (133, 134, 137):

(icmp6 && (ip6[40] >= 133 && ip6[40] <= 137))

7 thoughts on “tcpdump cheat sheet”

    1. I don’t know what you mean by “assume interface management”. These are subexpressions for use in tcpdump filters. They are not very useful on their own; you will generally also want to filter on source or destination address (or subnet) or port numbers. Either way, you won’t have much use for them unless you already know how to use tcpdump.

    1. They’re not hacks, they’re… literally how IPv6 works. And fragmentation is usually not an issue when I’m using these.

  1. Perfect stuff !
    Works in WireShark as capture filter as wel.
    Good way to capture datastreams, without creating large log files.

    I was looking for the same, but made mistakes in the definition of the filter.

    Thanks !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.