tcpdump -i external host 10.66.45.161 or 10.66.45.

162 -w /var/tmp/20151222_1-
external.pcap
[admin@da-fsvp-blb01:Active:In Sync] ~ # tcpdump -s0 -i internal-dmz2 host
66.111.152.73 and host 10.229.184.130 or host 10.229.184.139

tcpdump -i internal host 10.56.3.12

tcpdump -i 1.2 -nn -nn to show the actual port no/IP instead of name

tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap <---to capture traffic on all

interfaces and write the file on folder specified at location given in the command

--the above command will capture only first 96 bytes of the packet but our payload
is big and may not capture this way
so to include the full payload use command :

tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap -s0

and then scp the file to your desktop via below command :s

scp -P 222 BIGIP-11.2.0.2446.0.iso rahul.kumar@216.83.186.57:/home/rahul.kumar

to see arp packets only with full packet size

tcpdump -i 0.0 -s0 arp -nn (-n = dont resolve hostname ,, -nn = don't resolve
hostname or port names)

--if snat is there and you want to capture for client address on all
vlans/interfaces

tcpdump -i 0.0:p host 192.1681.101 -nn -p = peer side of the connection

--To exclude anything from TCPDUMP command is:

tcpdump -i 0.0:p host 192.168.1.92 -c 50 and not tcp port 443 ---c is no of
packets here

tcpdump -vnni 0.0 -s0 -w /var/tmp/F5SR1-3282662452_00.cap tcp port 179 -c 1000

for more info : http://packetlife.net/media/library/12/tcpdump.pdf

https://danielmiessler.com/study/tcpdump/
http://www.informit.com/articles/article.aspx?p=170902&seqNum=4

tcpdump -i eth1c0 -s0 "host 199.169.208.244" - Outside capture

tcpdump -i eth2c0 -s0 "host 199.169.208.244" - Inside capture

outside Checkpoint capture: tcpdump -i eth1c0 -s0 -w outside.pcap "net

199.169.208.240/28 || net 199.169.240.240/28" outside.pcap
inside Checkpoint capture: tcpdump -i eth2c0 -s0 -w inside.pcap "host 172.28.8.10
&& net 199.169.208.240/28 || net 199.169.240.240/28 && host 172.28.8.10"
inside.pcap
[root@msgrogib11:Active:Changes Pending] config # tcpdump -i 2.1 -nn port 8080 |
grep 88.149.202.139 <----with Port

If you have network then : use this :

[root@msgrogib11:Active:Changes Pending] config # tcpdump -i 2.1 -nn '(net

88.149.202)'<---where 88.149.202 is the network part of subnet 88.149.202.x

Find all SYN packets

tcpdump 'tcp[13] & 2 != 0'

Find all RST packets

tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets

tcpdump 'tcp[13] & 16 != 0'

Reason :

U A P R S F

�that corresponds to:

# tcpdump src port 1025 and tcp

# tcpdump udp and src port 53

32 16 8 4 2 1

tcpdump -i eth4c7 -nn -vv -s0 "vlan 108 and host 10.11.108.10 and host
10.11.118.14" <--Always use Vlan in tcpdump if it's there on CP/F5
tcpdump -nn -vv -s0 -i eth-s4p2c0 host 10.232.173.20 and host 10.192.144.129 and
tcp port 9443

tcpdump -ni 0.0 -w /var/tmp/INC1376761.pcap <--to write file to a specific

directory and then use SCP to transfer it to PHLNN7

[root@bigip10:Active:Standalone] config # tcpdump -ni external -X -s0 -c 50 host

10.10.10.30 and host 10.10.10.100 and port 80 (-X (capital) to see output in hex
format)

/home/admin