**__TCPDUMP NOTES__** \\
[[https://softbackbone.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcp_notes]]\\
To write the tcpdump output in pcap format. If we Add capital W, that means rotate:
  tcpdump -ni eth0 -s0 -w /var/tmp/capture.pcap
  tcpdump -ni eth0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K    # 48 files, either every 1800 seconds (=30 minutes) or every 100 MB, -K don't verify checksum
  tcpdump -nni bond1 -w /var/tmp/trace -W 1 -G 20 -C 100 -K
  tcpdump -e -r sflow_2022_new.pcap   # to read an existing pcap (remove -e if not interested in ethernet headers)

After capture, transfer example: 

  gk# scp root@slingshot2.nj.mycompany1.co.uk:/var/tmp/capture.pcap /home/jaime_santos/Downloads/
  hm# scp root@gatekeeper.mycompany1.co.uk:/home/jaime_santos/Downloads/capture.pcap capture-ams.pcap
  remote# rm /var/tmp/capture.pcap
  gk# rm /var/tmp/capture.pcap

These are useful links:\\
[[http://danielmiessler.com/study/tcpdump/|link1]]
[[http://packetpushers.net/masterclass-tcpdump-expressions/|link2]]
[[http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf/|link3]]
\\

Check port, protocol and source or destination address:\\
//host// is for bidirectional flow. For source or destination IP , we use //src// and //dst//. For port: //src port// or //dst port//
  tcpdump -nnvvi eth1 host 10.5.2.3 and dst port 3389 and tcp
  tcpdump -nni any portrange 60000-60100
  tcpdump -vv -e -nni any ether proto 0x8809   # LACP
  tcpdump -n -i eth0 -A -x dst port 443 and greater 100  # packet lenght


To **show mac address headers**. Note that **if we specify any as interface, we will miss one mac address, __always try to specify the interface we are capturing data__**:

  tcpdump -c10 -enni wlp2s0 # showd ETHERNET HEADERS and captures a FEW PACKETS.
  tcpdump -e -nni  bond0  ether src host 00:00:5e:00:01:04 and not vrrp      # to show ETHERNET HEADERS
\\
-S  : To print absolute rather than relative TCP sequence numbers.\\
  tcpdump -nnvvi bond0 'not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))'   # EXCLUDE PRIVATE ADDRESSES
  tcpdump -nni any 'not ((dst net (10 or 172.16/12 or 192.168/16 or 169.254/16)) or host 127.0.0.1)'   # EXCLUDE PRIVATE ADDRESSES and APIPA and loopback

A very simple check before tcpdump is the one below, showing which interface is passing the traffic:
  cat /proc/net/dev
[[http://danielmiessler.com/study/tcpdump/]]
[[http://packetpushers.net/masterclass-tcpdump-expressions/]]\\
Examples
  tcpdump -ni any port 5005 -s0 -A
  tcpdump -nni eth1 -A -s 0  vlan 4000 and '(host 155.140.121.12 or (vlan and host 155.140.121.12))' -n # Spanned ports
  tcpdump src port 1025 and tcp
  tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
  tcpdump -w net75.out -s 0 net 65.192.0.0/10\\
  \\


TOP TALKERS, or just iftop
  sudo tcpdump -tnn -c 400000 -i bond0  | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | head


Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

  tcpdump -n host 192.168.1.1

-S  : To print absolute rather than relative TCP sequence numbers.

  tcpdump -ni eth1 vlan 4001 and '(host 94.142.191.160 or (vlan and host 94.142.191.160))' -n -A -s 0 |grep FIX |sed 's/.*FIX/FIX/'
  tcpdump -nr span-EAT-MDS-eth1-96 vlan and port 57462 or '(vlan and port 57462)' -s 0 -A > /tmp/out <-- This is to apply tcpdump ON A FILE
  tcpdump -nr span-EAT-MDS-eth1-96 -s 0 -A |grep -B 1 -i  barct1md |head <-- to look for a string in the body  ; sed 's/\.\.*\././g' <-- to strip the point/dot trails ; | grep -B 1 -E '192.168.0.9.32933' <-- to follow  the flow ; grep -w '\[P.\]' <-- to find flags
  tcpdump -nr span-PROD-OE-eth4-0573 -s 0 -A |grep -B 1 -E '155.195.219.196.25727' | grep --color '\[S\.\]\|\[R\.\]\|\[F\.\]'
  tcpdump -nnr span-EAT-OE-eth1-86 vlan 4001 -s 0 -A |grep -B 1 dhubt2|head <-- to search for the source IP corresponding to an account name
  tcpdump -nnr span-PROD-OE-eth4-0664 -A -s 0 |sed 's/.*FIfX/8=FIX/'| grep -v 35=0| grep -B 2 'msoe1\|10.39.145.1' | more
  tcpdump -ni eth1 -s 0 -A  | grep FIX | sed -e 's/^.*8=FIX/8=FIX/g' -e 's/8=FIX/\n&/g' | egrep "269=[0-9].278=[0-9]*.270=[0-9]*.[0-9]*.271=[0-9]*." --color\\


\\
This is to capture bidirectional flows in RSPAN tagged connection (tag separates different span points, in this case is 4000:\\
  tcpdump -ni eth1 -A -s 0  vlan 4000 and '(host 155.140.121.12 or (vlan and host 155.140.121.12))' -n -A -s 0 |grep FIX |sed 's/.*FIX/FIX/'
\\
Flags significance: \\
  * "[X.]" means X plus ACK piggybacked\\
  * "P" Seeing a PUSH flag is not necessary bad. For real time messages (as FIX prot). TCP presents to upper layers a simple socket which can be read from and written to. "pushing" data out immediately, rather than waiting for additional data to enter the buffer.\\
In the following example we //extract packets only with the P flag//:
  tcpdump -nr span-EAT-MDS-eth1-96 -s 0 -A |grep -B 1 -i  barct1md |sed 's/\.\.*\././g' | grep -w '\[P.\]' \\
Formatting some FIX traffc:\\
  tcpdump -ni eth1 -s 0 -A  | grep FIX | sed -e 's/^.*8=FIX/8=FIX/g' -e 's/8=FIX/\n&/g' | egrep "269=[0-9].278=[0-9]*.270=[0-9]*.[0-9]*.271=[0-9]*." --color
\\

**IPV6**:\\

  tcpdump -nni any icmp6 and '(ip6[40] == 128 or ip6[40] == 129)'   # ICMP request and reply
  tcpdump -nni any icmp6 and '(ip6[40] == 135 or ip6[40] == 136)'   # NS and NA
  tcpdump -nni any icmp6 and '(ip6[40] == 133 or ip6[40] == 134)'   # RS and RA


FOR RUNTIME STATISTICS:\\
  tshark -i any -n -q -z 'io,stat,0,FRAMES()tcp.port==389,FRAMES()tcp.port==88,FRAMES()udp.port==53'
\\


----
**LIBCAP RELATED UTILITIES**
\\
  tcprewrite -C --dlt=enet --enet-smac=3a:85:a1:b3:c3:84 --enet-dmac=c2:54:cb:f2:ee:c8  -i sflow_2022_new.pcap -o rwsflow_2022_new.pcap   # this is needed when the pcap we received is linux cooked (sometimes they miss the dst mac address so we add a dummy one
  tcprewrite -C --dstipmap=192.168.97.255/32:10.100.10.142/32 -i rwsflow_2022_new.pcap -o rwrwsflow_2022_new.pcap
  tcpreplay -i eth0 --loop 0 xxx.pcap   
[[https://gist.github.com/niranjan-nagaraju/4532037]]