# tcpdump
sniff packets in your terminal

Usually, you’ll run tcpdump like this:

``tcpdump -t -n -i any port 53`` -> this shows packets sent to and from port 53.

TODO colored output

# useful options
``-A`` view packet contents
``-c 3`` to limit the amount of packets captured
``-i eth0`` specifies interface
``-n`` displays IP addreses in place of hostnames
``-p`` omits packets not adressed to your computer
`-v` be verbose 
``-w file.pcap`` saves output to a file for later

## Time
`-ttt` start time at 0, shows difference between packets
``-t`` omits timestamps

## Layer 2
``-e`` includes ethernet info (MAC & plen) when relevant

## TCP
`-S` always output original sequence numbers (instead of at conversation start, then offsets)


# BPF filters
You can filter packets with BPF like this:

* ``port 53`` matches source port or dest port 53, TCP or UDP
* ``host 1.2.3.4`` matches souce or dest IP 1.2.3.4
* ``host 8.8.8.8 and 53`` matches DNS queries and replies to and from 8.8.8.8
* ``src port 22 and dest host 100.64.64.64`` matches SSH packets to and from 100.64.64.64
* `'gateway 10.10.10.1 and (port ftp or ftp-data)'` FTP traffic through internet gateway 
	- **NOTE:** quotes escape parentheses from shell