# tcpdump

Ver la captura en vivo
```
-l
```

Ver contenido del trafico http
```
tcpdump -ieth0 -n tcp port 80 -A -s1500
```

Ver los headers en trafico http
```
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -l -A -s 1024
```

To display traffic info about DNS:
```
tcpdump -i eth1 'udp port 53'
```

To display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets, enter:
```
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
```

To display all FTP session to 202.54.1.5, enter:
```
tcpdump -i eth1 'dst 202.54.1.5 and (port 21 or 20'
```

To display all HTTP session to 192.168.1.5:
```
tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'
```

To capture to a file (and use wireshark to display the captured traffic):
```
tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80
```

To use tcpdump to capture and display MySQL traffic:
```
tcpdump -c 1000000 -s 1000 -A -n -p port 3306 | grep SELECT | sed 's/\/\*.*\*\///g' | sed 's/.*\(SELECT.*\)/\1/gI' | sort | uniq -c | sort -r -n -k 1,1 | head -5
```

Log all queries
```
tcpdump -s 0 -l -w - dst port 3306 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+; $q.=" $_";
}
}'
```