Wireshark and tcpdump Reference

Wireshark and tcpdump are extremely powerful network troubleshooting tools. Here are some command examples that may be useful.

Wireshark Display Filters

Show all ARP:
arp
Show ARP from a specific MAC:
arp.src.hw_mac == 00:16:D3:4A:CE:7D
Show all traffic to a specific IP:
ip.src == 10.14.1.16
Show all traffic to/from a specific IP:
ip.addr == 10.14.1.16
Show only SYN packets:
tcp.flags.syn
Show all web traffic:
tcp.port == 80
Capture agent specific traffic
udp.port == 11168 or udp.port == 11168 or udp.port == 11688 or tcp.port == 11698

Wireshark Capture Filters

Capture just audit traffic
tcp port 11698
Capture only from a single MAC
ether host 00:16:D3:4A:CE:7D
Capture agent specific traffic
udp port 11168 or udp port 11168 or udp port 11688 or tcp port 11698
Capture only traffic to/from 1.2.3.4
host 1.2.3.4
Capture only web traffic to/from 1.2.3.4
host 1.2.3.4 and tcp port 80

tcpdump Capture Filters

See all SSH traffic not from designated host:
tcpdump -n port 22 and not host 216.58.41.139
See all audit traffic for one endpoint:
tcpdump -n -i any port 11698 and host 156.99.137.37
Capture 4096 bytes of HTTP traffic to/from 10.100.0.1, decode it as much as possible, and save it to /tmp/http.cap
tcpdump -X -vv -s 4096 -w /tmp/http.cap host 10.100.0.1 and port 80
Look for reporter traffic
/usr/sbin/tcpdump -n udp port 11688