Ultimate portable covert Hacking device – Part 4

TCPDump. If you want to capture traffic you need to be using this tool. TCPDump is small lightweight and really easy to understand once you learn the basic syntax. It’s the perfect tool to gather info off the wired or wireless network. If you’re running it on a computer with dsniff installed you can use dsniff to route traffic through your computer and see everything your target is doing even on a switched network (See the article on How-To spy on other users on the local network from back in August )

The first thing we need to do is tell TCPDump what exactly we want out of the capture. There are for basic levels of verbosity

  1. tcpdump

    which just shows us just the basics

  2. tcpdump -v

    you can add 1 to 3 ‘v’ characters to increase the displayed output.

  3. tcpdump -vX

    -X adds the full payload (minus its link level header) of the packet

  4. tcpdump -vXs 1500

    -s increases the snaplen bytes of the packets the default of 68 bytes is adequate for most IP, ICMP, TCP and UDP packets but can truncate some other protocols.

The real power of TCPDump comes in some of the ways you can filter the traffic you’re capturing. For example if you only want to capture all traffic to or from a specific IP you would use the “host” argument so say we wanted to capture all traffic to or from we would use

tcpdump host

But we don’t need to capture all of that say we only want to capture traffic from or to that host well we can get more specific using the “src” and “dst” arguments like so

Capture all traffic going to

tcpdump dst

Capture all traffic coming from

tcpdump src

This is all well and good but this is capturing a whole lot of traffic I’m not interested in like HTTP (port 80)  traffic and FTP (port 21)  traffic I only want to capture SMTP (port 25) traffic. well I can do that as well.

tcpdump port 25

This will capture all the traffic over port 25

If you need to capture traffic to/from an entire subnet instead of to/from a single host there’s a “net” argument that can be used interchangeably with the “host” argument. You do need to supply a network in CIDR notation ( eg, ) instead of a single IP address

So the following would capture all traffic to or from the (subnet ) network

tcpdump net

Now all the arguments above can be combined using the operators “and”, “or”, “not” and “\(\)”

So here’s some examples

Capture all traffic from the host at and destined for the network on port 25

tcpdump src host and dst net and dst port 25

Capture all traffic destined for or and not on port 80

tcpdump \(dst net or\) and not port 80

One of the most useful features is writing your capture to a file so you can analyze it later (possibly using something like WireShark, TcpReplay or other security tools that support pcap files. The “-w” argument accepts a name of a file to save your capture to.

tcpdump -w mycapfile.pcap

You can then use the resulting capture file in any other tool that accepts pcap format files.

If you haven’t already make sure you read parts [1] , [2] and [3] in the “Ultimate portable covert hacking device” series

As always if you have any questions, comments or suggestions please post them in the comment section below.

More info on TCPDump filters can be found at the following links.



If you enjoyed this post, make sure you subscribe to my RSS feed!

Published by


I'm a self labeled Nerd who enjoys Playing Video Games, restoring classic muscle cars (i have a 65' Mustang in the works) , Running Big Data Clusters, Tattoos, Working on System Automation, Riding and customizing Motorcycles, and writing python Code. I'm an SRE with DemonWare/Activision Specializing in Big Data/Hadoop operations but all opinions and views expressed on this site are solely my own.