Capture all tcp and udp packets in LAN, except packets coming to localhost (192.168.1.2)

sudo tcpdump -n -i eth0 -w data.pcap -v tcp or udp and 'not host 192.168.1.2'

0
By: anhpht
2011-10-12 00:20:52

These Might Interest You

  • At some point you want to know what packets are flowing on your network. Use tcpdump for this. The man page is obtuse, to say the least, so here are some simple commands to get you started. -n means show IP numbers and don't try to translate them to names. -l means write a line as soon as it is ready. -i eth0 means trace the packets flowing through the first ethernet interface. src or dst w.x.y.z traces only packets going to or from IP address w.x.y.z. port 80 traces only packets for HTTP. proto udp traces only packets for UDP protocol. Once you are happy with each option combine them with 'and' 'or' 'not' to get the effects you want.


    2
    tcpdump -nli eth0; tcpdump -nli eth0 src or dst w.x.y.z; tcpdump -nli eth0 port 80; tcpdump -nli eth0 proto udp
    jonty · 2009-02-05 17:41:55 0
  • Allows you to establish a tunnel (encapsulate packets) to your (Server B) remote server IP from your local host (Server A). On Server B you can then connect to port 2001 which will forward all packets (encapsulated) to port 22 on Server A. -- www.fir3net.com --


    7
    ssh -R 2001:localhost:22 [username]@[remote server ip]
    felix001 · 2009-10-11 09:51:04 0
  • On a Gentoo system, this command will tell you which packets you have installed and sort them by how much space they consume. Good for finding out space-hogs when tidying up disk space. Show Sample Output


    0
    equery s | sed 's/(\|)/ /g' | sort -n -k 9 | gawk '{print $1" "$9/1048576"m"}'
    Alanceil · 2009-07-30 01:12:10 0
  • If two or more IPv6 addresses are assigned to an interface, apply this command to all but the address that you want to use as the source address of outbound packets. This is Linux-specific and requires the iproute package, or equivalent for your distribution.


    1
    ip addr change 2001:db8:1:2::ab dev eth0 preferred_lft 0
    jasonjgw · 2010-11-18 05:05:15 2

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands



Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: