This page looks best with JavaScript enabled

Tcpdump DHCP and SIP

 ·  ☕ 2 min read

Get Version

tcpdump --version
tcpdump version 4.99.0
libpcap version 1.10.0 (with TPACKET_V3)
OpenSSL 1.1.1j  16 Feb 2021

Get Interfaces

tcpdump -D
  • you can then indicate interface with -i <iface>, or use -i any
  • -v -vv -vvv are 3 levels of verbosity
  • -w filename save to file the output, eventually you also show and save using in conjunction with --print
  • -A show packets content
  • -c N only N packets
  • -s N snapLenght (0 to get everything)

SnapLen, Snap Length, or snapshot length is the amount of data for each frame that is actually captured by the network capturing tool and stored into the CaptureFile. This is sometimes called PacketSlicing.

filters

  • net 192.168.1.0/24 all the net
  • host 192.168.1.1 only 1 host
  • src 192.168.1.1 only from host
  • dst 192.168.1.1 only to host
  • port 80 only 1 port
  • portrange 80-104 port range

you can concatenate using and and or and not to negate an assertion.

#example.
# -i iface <proto> <filters> verbose save_file and print
tcpdump -i eth0 tcp port 80 -vv -w save.pcap --print

DHCP

-v -vv -vvv are 3 levels of verbosity

tcpdump -i ens19 -vvv -s 1500 '(port 67 or port 68)'

SIP + RTP

  • sip port 5060
  • rtp range 9000-14000
# SIP SIGNALING
tcpdump -i ens19 udp port 5060 or port 5080  
 # SIP SIGNALING + RTP + SAVE
tcpdump -i any udp port 5060 \
    or udp portrange 9000-14000 -s 0 -w filename.cap

now use wireshark…

copyleft 2021, No Rights Reserved