Hide

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.


If you have a new feature suggestion or find a bug, please get in touch via http://commandlinefu.uservoice.com/

Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.

Hide

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:

Hide

News

2011-03-12 - Confoo 2011 presentation
Slides are available from the commandlinefu presentation at Confoo 2011: http://presentations.codeinthehole.com/confoo2011/
2011-01-04 - Moderation now required for new commands
To try and put and end to the spamming, new commands require moderation before they will appear on the site.
2010-12-27 - Apologies for not banning the trolls sooner
Have been away from the interwebs over Christmas. Will be more vigilant henceforth.
2010-09-24 - OAuth and pagination problems fixed
Apologies for the delay in getting Twitter's OAuth supported. Annoying pagination gremlin also fixed.
Hide

Tags

Hide

Functions

Commands using tcpdump from sorted by
Terminal - Commands using tcpdump - 41 results
tcp(){ tcpdump -nUs0 -w- -iinterface $1|tcpdump -n${2-A}r- ;} usage: tcp '[primitives]' [X|XX]
2011-03-07 03:40:11
User: argv
Functions: tcpdump
1

Sometimes the question comes up: How to get unbuffered tcpdump output into the next program in the pipe? i.e. if your OS forces you to wait for the buffer to fill before the next program sees any of the output

If you use -Uw- then you can't use -A (or -X or -XX) at the same time.

When the question comes up, I've never seen anyone suggest this simple solution: chaining 2 tcpdump instances.

tcpdump -i eth0 "tcp port pop3 and ip[40] = 85 and ip[41] = 83" -s 1500 -n -w "sniff"
2010-11-18 09:03:08
User: ironmarc
Functions: tcpdump
0

The command is useful for monitoring the use of the boxes and their connection IP.

Result file "sniff" is readable with GUI program "wireshark" or through CLI with the command:

tcpdump -f "sniff" -XX

ssh root@HOST tcpdump -U -s0 -w - 'not port 22' | wireshark -k -i -
2010-10-28 09:02:39
User: abb
Functions: ssh tcpdump
9

When using tcpdump, specify -U option to prevent buffering.

liveh(){ tcpdump -lnAs512 ${1-} tcp |sed ' s/.*GET /GET /;s/.*Host: /Host: /;s/.*POST /POST /;/[GPH][EOo][TSs]/!d;w '"${2-liveh.txt}"' ' >/dev/null ;} # usage: liveh [-i interface] [output-file] && firefox &
2010-10-11 01:01:11
User: argv
Functions: sed tcpdump
5

Default output-file is "liveh.txt".

This uses only BRE, in case you're using an older version of sed(1) that doesn't have support for ERE added.

With a modern sed(1), to reduce false positive matches, you might do something like:

liveh(){ tcpdump -lnnAs512 -i ${1-} tcp |sed 's/.*GET /GET /;s/.*Host: /Host: /;s/.*POST /POST /;/GET |Host: |POST /!d;/[\"'"'"]/d;/\.\./d;w '"${2-liveh.txt}"'' >/dev/null ;}

Anyway, it's easy to clean up the output file with sed(1) later.

sudo tcpdump -i eth0 -n port 67 and 68
2010-08-18 19:36:06
User: wsv123456
Functions: sudo tcpdump
0

You don't need this command often and there are other ways to test output but if you want to be sure if your router and ethernet card are working this is one way.

tcpdump -i eth0 port 80 -w -
tcpdump -i any -n tcp[13] == 2
sudo tcpdump -nnvvXSs 1514 -i lo0 dst port 5432
2009-12-18 17:12:44
User: ethanmiller
Functions: sudo tcpdump
1

It's certainly not nicely formatted SQL, but you can see the SQL in there...

tcpdump -nnvvXSs 1514 -i <device> <filters>
2009-12-17 22:30:55
User: din7
Functions: tcpdump
3

This command will show you the entire payload of a packet.

The final "s" increases the snaplength, grabbing the whole packet.

tcpdump -v -i <INTERFACE> -s 0 -w /tmp/sniff.pcap port <PORT> # On the remote side
2009-12-17 22:08:30
User: sputnick
Functions: tcpdump
Tags: tcpdump pcap
4

Then hit ^C to stop, get the file by scp, and you can now use wireshark like this :

wireshark /tmp/sniff.pcap

If you have tshark on remote host, you could use that :

wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)

The last snippet comes from http://wiki.wireshark.org/CaptureSetup/Pipes

tcpdump -ieth0 -n tcp port 80 -A -s1500
2009-12-05 00:59:16
User: guelfoweb
Functions: tcpdump
Tags: tcpdump
2

Sniffing traffic on port 80 only the first 1500 bytes

tcpdump -n -v tcp or udp or icmp and not port 22
sniff_host: tcpdump -nn -i eth1 -w - | nc 192.168.0.2 666
sudo tcpdump -i en1 -n -s 0 -w - | grep -a -o -E "Host\: .*|GET \/.*"
2009-04-04 01:41:48
User: peterc
Functions: grep sudo tcpdump
-2

Replace "en1" with your network interface (on OS X, usually en0, en1, eth0, etc..)

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
2009-02-20 18:02:27
User: spif
Functions: tcpdump
15

This gives you lots of nifty Cisco network information like VLAN tag, port and switch information.

tcpdump -nli eth0; tcpdump -nli eth0 src or dst w.x.y.z; tcpdump -nli eth0 port 80; tcpdump -nli eth0 proto udp
2009-02-05 17:41:55
User: jonty
Functions: tcpdump
2

At some point you want to know what packets are flowing on your network. Use tcpdump for this. The man page is obtuse, to say the least, so here are some simple commands to get you started.

-n means show IP numbers and don't try to translate them to names.

-l means write a line as soon as it is ready.

-i eth0 means trace the packets flowing through the first ethernet interface.

src or dst w.x.y.z traces only packets going to or from IP address w.x.y.z.

port 80 traces only packets for HTTP.

proto udp traces only packets for UDP protocol.

Once you are happy with each option combine them with 'and' 'or' 'not' to get the effects you want.