sniff packets in your terminal

Usually, you’ll run tcpdump like this:

tcpdump -t -n -i any port 53 → this shows packets sent to and from port 53.

TODO colored output

-A view packet contents
-c 3 to limit the amount of packets captured
-i eth0 specifies interface
-n displays IP addreses in place of hostnames
-p omits packets not adressed to your computer
-v be verbose
-w file.pcap saves output to a file for later

-ttt start time at 0, shows difference between packets
-t omits timestamps

-e includes ethernet info (MAC & plen) when relevant

-S always output original sequence numbers (instead of at conversation start, then offsets)

You can filter packets with BPF like this:

• port 53 matches source port or dest port 53, TCP or UDP
• host 1.2.3.4 matches souce or dest IP 1.2.3.4
• host 8.8.8.8 and 53 matches DNS queries and replies to and from 8.8.8.8
• src port 22 and dest host 100.64.64.64 matches SSH packets to and from 100.64.64.64
• 'gateway 10.10.10.1 and (port ftp or ftp-data)' FTP traffic through internet gateway
  • NOTE: quotes escape parentheses from shell