Check Point Quick Reference – Tcpdump

NOTE:
fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

This is one of the most common tcpdump commands: (looks for packets from a src to dst, need to specify interface)
tcpdump nn-i eth2 host 11.11.11.11 and host 22.22.22.22
08:02:15.043273 11.11.11.11.62044 > 22.22.22.22.https: S 1943270491:1943270491(0) win 65535

tcpdump -nni eth0
tcpdump -nni eth0 host 111.111.111.111
tcpdump -nni eth0 dst host 111.111.111.111 and proto tcp
tcpdump -nni eth0 src net 111.111.111.0/24 and proto tcp and portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port numbers
-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network 111.111.111.0/24
host = specifies a host,111.111.111.111
port = specifies a port also portrange
proto = protocol ie tcp udp icmp

tcpdump -s0 -A -nni eth0 dst host 111.111.111.111
tcpdump -s0 -A -nni eth0 dst host 111.111.111.111 and dst port 80
tcpdump -s0 -A -nni eth0 dst host 111.111.111.111 and dst port 80 and src net 10.100.0/24
tcpdump -s0 -A -nni eth0 dst net 111.111.111.0/24
tcpdump -s0 -A -nni venet0 not port 22 and dst host 111.111.111.111 and not src net 111.111.111.0/24
and not host 111.111.111.111 and src net 111.111.111.0/24

-s0 = Setting snaplen to 0 means use the required length to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.

tcpdump -vv -c10000 -s0 -A -w bigfat.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-vv = displays number of packets captured
-w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80
-r = read from file

Watch everything, and remove what you know you don’t want to inspect again. What is left will stick out like a white Tshirt at a hack3rcon.
Example: finding an unauthorized proxy on port 8080 or a udp flood to port 53.

tcpdump -s0 -A -nni eth0 not port 22 and dst host 111.111.111.111 and not src net 111.111.111.0/24
and not host 111.111.111.111and not src net 111.111.111.0/24