Never paused a video so many times, the longest 18 minutes of my life and it was totally worth it ! Very informative video!

10 years ago and still one of the best intro in tcpdump.

Hi David, Your whole series of videos are so great, and you are able to make other understand in much better way than any other person or sources on internet. These are by far the best videos on internet.

I find Mr. Mahler's videos to be extrememly affective. Thank you sir!

Watched it twice and pause-n-take notes many times second time around. It is a great investment as tcpdump is the only tool left for me to debug mysterious networking problems including "connection refused" and so on. Thank you!

David, the best illustration on TCPDUM I have ever seen. I would compare it like someone getting an orange and and juicing it and giving it to his viewers. I loved it . You must be a very nice person to spend your own personal time and sharing your know how with others.. Kudos to you !!!. Thank you !!

Excellent Content - To the point and comprehensive. Salute to you David for the great work.

Fantastic work, a clear and concise understanding of TCP Dump basics. Appreciate the video.

Superb way to demonstrate use of TCPDUMP, I would like to recommend this video to anyone who wants to understand use of TCPDUMP. Many thanks [.]

One of the best tutorial I've seen ever Very comprehensive in just 18 minutes.

Tcp Dump 1. Version check: - tcpdump -h 2. To check available interfaces on VM: - tcpdump -D 3. Checking tcpdump on all interfaces: - tcpdump -i any 4. Stop tcpdump after a specified number of packets: - tcpdump -i any -c 5 (This one stops the capture after generating 5 packets ) 5. Show tcpdump in form of IPs and not FODN names: - tcpdump -i any -c 5 -n (Using -n will show IP and port numbers. If not used then the utility will tigger reverse DNS lookups to determine IP) 6. To limit capture size use -s option: - tcpdump -i any -c 5 -n -s1024 7. To check with proper sequence number use this: - tcpdump -i any -c20 -n tcp and dst port 39952 -t 8. Save captures to a file: - tcpdump -i any -w capture.pcap 9. Use -v option while performing captures to a file to see wether filter is receiving any packets or not: - tcpdump -i any -w capture.pcap -v 10. Reading existing files: - tcpdump -n -r capture.pcap 11. Use pipe (|) and less while viewing pcap files so that you can scroll through them: - tcpdump -n -r capture.pcap | less 12. To check packets from one particular host only: - tcpdump -i eth1 -n host 10.0.0.4 -c10 13. To check packets from one particular host from one side either source or destination only: - tcpdump -i eth1 -n host src 10.0.0.4 -c10 - tcpdump -i eth1 -n host dst 10.0.0.4 -c10 14. Use “and port ” to filter traffic for that port only: - tcpdump -i eth1 -n host 10.0.0.4 and port 80 -c10 15. Between two host: - tcpdump -i eth1 -n host 10.0.0.4 and host 192.168.0.4 -c10 16. For composite types i.e. using “and-or”: - tcpdump -i eth0 -n “host 192.168.0.4 \ > and (port 80 or port443)” Use (“”) in such commands 17. Based on whole network: - tcpdump -i eth0 -n -c 50 “src net 192.168.00/16 \ > and not dst net 192.168.0.0/16 and not dst net 10.0.0.0/16” 18. Based on mac address: - tcpdump -i eth0 ether host 28:16:2e:1f:25:49 -n -c50 Here “ether host is used to refer mac addr” 19. Mac addr are not visible by default so we use “-e” to see mac addr: - tcpdump -i eth0 ether host 28:16:2e:1f:25:49 -n -c50 -e 20. To tcpdump ipV6 IPs use ip6 a th end - tcpdump -i any ip6 21. Capture based on flags: - tcpdump -i any “tcp[tcpflags] \ > & tcp-syn !=0” Or > &tcp-rst !=0” Adjusting seeing tcpdump outputs- 22. -XX option shows more details specifically in hex and ascii format - tcpdump -i eth0 port 80 -c50 -XX 23. In place of using -XX we can use -A to get only te ASCII value and not the hex value: - tcpdump -i eth0 port 80 -c50 -A 24. Increasing levels of details can we fetched from -v or -vv or -vvv: - tcpdump -i eth0 port 80 -c50 -vvv 25. To see minimal quiet display ouput use -q: - tcpdump -i eth0 port 80 -c50 -q Example: Time ip vm1.port > vm3.ssh: tcp0 Time ip vm3.ssh > vm1.port: tcp0 . . . 26. To remove time frame in any tcpdumps use “-t” - tcpdump -i eth0 port80 -c50 -q -t ip vm1.port > vm3.ssh: tcp0 ip vm3.ssh > vm1.port: tcp0 . . 27. Use 3 “-ttt” to check time difference between consecutive packets in the ouTput. This can be used to check spikes or latencies In packets: - tcpdump -i eth0 -c50 -q -ttt 28. Use 5 “-ttttt” shows the time since the first packet capture. Used to lookup how long does the certain transactions took to complete. - tcpdump -i eth0 -c50 -q -ttttt 29. For human readable format use “-tttt” - tcpdump -i eth0 -c50 -q -tttt # Traffic direction (*) Relation to Firewall Virtual Machine Name of inspection point Notion of inspection point 1 Inbound Before the inbound FW VM Pre-Inbound “i” 2 Inbound After the inbound FW VM Post-Inbound “I” 3 Outbound Before the outbound FW VM Pre-Outbound “o” 4 Outbound After the outbound FW VM Post-Outbound “O BR Amarpreet Singh

Never seen a video with this small size and having so much info thank you please keep posting such type of vedios

David, thank you so much for uploading these videos. They are specially useful for SDN novices. Again, thanks for sharing.

Thank you for this excellent, brief and to-the-point video with super relevant, supporting examples.

Very clear explanation about tcpdump. I learnt quite a lot from this video. Thanks David.

Congratulations. The best class about tcpdump ever. Thank so much, help me a lot. You won one more subscriber.

one of the best tutorials on SDN related stuff

Excellent job David... well worth the time to go through this...

useful as the OSCP exam doesn't have a video on tcpdump and this clarifies a lot and teaches a lot of useful tricks.

Awesome video! Thank you for the excellent tutorial.

Very well explained - I am going to see if you have more trainings available

Great Video David. Really Appreciate your all efforts

Thanks David for this video really helpful

Good overview. Thank you. Will likely review this again.

If only all tutorials on KZbin were this good!

Wow. Going to have to watch that one more than a few times. A lot of info. Done very well and not too verbose.

Very detailed explanation thankyou. Please make more videos

Great video - especially the interpretation of the output. Thanks.

Clear and thorough explanation. Thanks

video worth watching.. Thanks David

Thanks David...hits the spot...very good!!

Excellent video. Very clear and concise explanation.

Another great Video from David. Thanks!

What a great explanation! I'm subscribing in order to learn more. Thanks.

Great explanation. Good sequencing and very clear.

Thanks you, been looking for a good linux tcpdump video

Thank you sir .. we need more vid pls keep uploading

a Clear and concise review. Thanks!

Great video David! The videos is very helpful. Thanks!

Amazing video. Thank you so much David.

An excellent video tutorial. ThanQ very much.

Superb! Highly helpful and handy

Your videos about networking topics are amazing. Do come back and make more videos.

I wonder if it's possible to automate monitoring vs malicious traffic on machine with gui

Very detailed and informative video

Very good video. Thank you very much.

very informative video . clearly explained !!

I really appreciate your video!

Great video. Very informative. Thanks.

Thank you for sharing very informative 👍

Very nice - Thank you for this video!

good explanations. Need some more videos which shows troubleshooting using commands.

Thank you. Great video for beginners.

Your Video helped me out a few hours back...Inspite of having Telnet and TCP connectivity I was unable to connect with a Ora NoSQL Node from my VH. The tcpdump -i eth0 -w ora.pcap showed its trying to connect with Default ports in Orcale intalled VM so was able to define servicerange ports and can connect it now.. Got the result from your clip specifically.. Although I used Wireshark to analyze the pcap file as was not aware of the reading option from the Linux option itself. So If I use the commnd (from root access) in the VM > tcpdump -r ora.pcap it should serve the purpose I hope.

Thank you for your work and knowledge!

Very well explained. Thank you!

This is a well done tutorial.

that was a great video, man. nice job

Nice one! Thanks for uploading.

Hi David , Nicely explained... :)

Many thanks for the informative video!

Perfect explanation, thanks.

Very helpful! Good job man ;)

very informative video. Thanks

This is an excellent tutorial! I do have a question regarding the time stamps in the output. Do these time stamps denote the time when the packet transmission is complete, has started or when the packet was queued for transmission? Exactly when are these packet details picked up? Thanks a lot again.

That was a great video. Thanks!

Great content , thanks

David, if my machine has many interfaces and i don't know by which interface i will capture traffic. i need to use "-i any" to see if my machine is getting any traffic or not. If my machine is getting traffic then how would i know the exact interface??

hello sir, Is tcpdump analysis or capture purpose tool only or Could tcpdump be used for generation of packets to a specific dst ip address from a source machine just like an attack.

It's helpful!Thanks.

Fantastic video Thanks alot

Thanks David, It was excellent tutorial. Is there a way to us -i any option at HP-UX or I can use "-i lan0 -i lan1"?

Pls share all tcpdump commands...it could be helpful for us if you have an document.

So useful.

11:11 host keyword 14:59 protocol type filters

Excellent job

Nice, super easy!

Thanks a lot!

Thanks David!

Fenomenal!

thank you

thank you so much

easy short amazing

This is best video

Is TCPDUMP an active or passive network sniffer?

Excellent!!!!

Hi, Do u have anything able tcprewrite and tcpreplay?

very nice

perfect! thanks

Ty!

Plz make more videos on networking.. thanks..

Nice...Thank You... :D

sudo is not necessary. All tcp dump needs is CAP_NET_RAW. Run sudo setcap cap_net_raw=eip /usr/bin/tcpdump to set net_raw capability for tcpdump binary and then you can run it without root permissions.

what was the point of this video ? was it to show off or to teach ? you go through it very fast barely explaining anything as if you are reading a script , I watched other videos that are on a slower pace where they take time to explain things then I understood tcpdump.

Thank you sir .. we need more vid pls keep uploading

Thank you for your clear explanation!

Very well explained. Thank you!

Great video, thanks!