iPaddress TCPDump TCP
sudo tcpdump src 1.1.1.1
sudo tcpdump dst 1.0.0.1
sudo tcpdump net 1.2.3.0/24
sudo tcpdump -c 1 -X icmp
sudo tcpdump port 3389
sudo tcpdump src port 1025
sudo tcpdump portrange 21-23
sudo tcpdump less 32
sudo tcpdump greater 64
sudo tcpdump <= 128
sudo tcpdump -nnvvS src 10.5.2.3 and dst port 3389
sudo tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
sudo tcpdump dst 192.168.0.2 and src net and not icmp
sudo tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
sudo tcpdump 'tcp[13] & 4!=0'
sudo tcpdump 'tcp[tcpflags] == tcp-rst'
sudo tcpdump 'tcp[13] & 2!=0'
sudo tcpdump 'tcp[tcpflags] == tcp-syn'
sudo tcpdump 'tcp[13]=18'
sudo tcpdump 'tcp[13] & 16!=0'
sudo tcpdump 'tcp[tcpflags] == tcp-ack'
sudo tcpdump 'tcp[13] & 1!=0'
sudo tcpdump 'tcp[tcpflags] == tcp-fin'
sudo tcpdump -vvAls0 | grep 'User-Agent:'
sudo tcpdump -vvAls0 | grep 'GET'
sudo tcpdump -vvAls0 | grep 'Host:'
sudo tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '
ToughLama