"tshark" is a wireshark cli utility available on multiple systems. This example is taken from a Mac cli terminal.
tshark -o tcp.relative_sequence_numbers:FALSE -V -r nat66-take2.pcap | less
Frame 1: 94 bytes on wire (752 bits), 94 bytes captured (752 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 17, 2016 13:45:23.955177000 CEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1463485523.955177000 seconds
[Time delta from previous captured ...

To troubleshoot network protocols or network filters (firewalls and Intrussion Detection Systems) sometimes it is required to look at the packets hex dump either live or at a packet capture taken while the investigated issue was happening. tcpdump -xx can be used to print packet hex data and layer 2 header information (when debugging ethernet mac address).

This article explains how to use tcpdump on a libcap formatted capture file to filter a specific ip id (not that I would like to go into how can a packet ID be predicted on an interface :) ).
Many network security engineers ave to deal with situations when a firewall, IPS system, proxy or even a router/switch drops a specific file (reasons are unnumbered) and when ...

The internet is a mix of protocols or suite of protocols at multiple OSI layers that carry information from one host to the another (or others). Some of these protocols are encrypted before being sent out and others are sent in clear text - anyone with access to the wire can parse and read them in clear text. Some of these are the very well known HTTP, FTP, DNS and SMTP (web, file transfer, domain ...

The manual for tcpdump shows how to use tcpdump expressions and primitives to build traffic capturing filters based on protocol field values, like specific icmp type and specific icmp code and specific source host.

Tcpdump also offers a way to filter packets with specified value in a specific protocol byte number, ie: we know icmp header first byte (0) is icmp type and second byte (1) is the icmp code so tcpdump allows to either ...

tcpdump: How to capture frames with specific source destination mac address

Tcpdump is a tool we all use and love, we use it in our daily life and, contrary to it's name, it can filter based on layer 2, layer 3 and layer4 headers. It can filter on protocols other than tcp.


Below is how tcpdump filters frames based on their source ethernet (mac) address:


Below is ...

How to capture only ICMP Destination unreachable - Fragmentation required and DF bit set in tcpdump.

Man tcpdump quote:
Quote:



As shows on ICMP wiki page http://en.wikipedia.org/wiki/Internet_C ... e_Protocol, ICMP Destination unreachable is ...

How to capture only ping echo replies with tcpdump.

Man tcpdump quote:


As shows on ICMP wiki page http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol, ICMP echo replies are ICMP type 0 ( ICMP code is not important as there is only one ...

How to capture only ping echo requests with tcpdump.
More detail article: Tcpdump icmp practical examples filtering on icmp type field and icmp code field.
Man tcpdump quote:

List interfaces that tcpdump can listen on

# ...

Tcpdump filtering based on DSCP field in IP header.

DSCP stands for "DIfferentiated Services Code Point" and it refers to second byte in IP header (TOS - Type Of Service ip), specifically to first 6 bits in this byte (last 2 are ECN).

By looking at the DSCP code point table (http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-class-of-service/default-cos-section.html), let's say we want to capture only those packets with "ef" (expedited forwarding) forwarding class.





So the first 6 bits ...