Ver la captura en vivo

-l

Ver contenido del trafico http

tcpdump -ieth0 -n tcp port 80 -A -s1500

Ver los headers en trafico http

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -l -A -s 1024

To display traffic info about DNS:

tcpdump -i eth1 'udp port 53'

To display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets, enter:

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To display all FTP session to 202.54.1.5, enter:

tcpdump -i eth1 'dst 202.54.1.5 and (port 21 or 20'

To display all HTTP session to 192.168.1.5:

tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'

To capture to a file (and use wireshark to display the captured traffic):

tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80

To use tcpdump to capture and display MySQL traffic:

tcpdump -c 1000000 -s 1000 -A -n -p port 3306 | grep SELECT | sed 's/\/\*.*\*\///g' | sed 's/.*\(SELECT.*\)/\1/gI' | sort | uniq -c | sort -r -n -k 1,1 | head -5

Log all queries

tcpdump -s 0 -l -w - dst port 3306 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+; $q.=" $_";
}
}'