‎

tcpdump

commands

track all udp traffic initiated by host (useful to track dns amplification attack)

tcpdump -i any 'udp && src host 172.31.7.188' -vvnnS

track dns traffic that comes on the host

tcpdump -i any '(udp && port 53 && dst host 172.31.7.188)' -vvnnS

track tcp syn packages from host: host tries to make to initiate tcp connection with an external source

tcpdump -i any '((tcp[tcpflags] == tcp-syn) && src 172.31.7.188)' -vvnnS

track tcp syn-ack packages to host: external resources sent acknowledge about opening tcp connection

tcpdump -i any '(tcp[13] = 18 and dst host 172.31.7.188)' -vvnnS

track traffic into redis and write all packets into pcap file (pcap file can be opened in wireshark then for analysis)

tcpdump -i any 'dst port 6379' -vvnnS -w redis.pcap

track all udp output traffic except dns

tcpdump -i any '(udp and not dst port 53 and src host 172.31.7.188)' -vvnnS

track all traffic with particular host with writing it into pcap file (pcap file can be opened in wireshark then for analysis)

tcpdump -i any 'host 172.31.7.188' -vvnnS -w host-172-31-71-88.pcap

track all traffic on host except ssh, https, dns, rabbitmq, arp traffic

tcpdump -i eth0 'not (port 22 or 443 or 53 or 5672) and not arp' -nnvvS

flags

D – show all interfaces
i - interface
nn – without resolving hostname and ports
vv - verbose output
S - get entire package