Check Point Quick Reference – Tcpdump

fw monitor operates above layer 2 and does not include mac address information – cant see ARP messages.
tcpdump can see layer 2 ARP messages

This is one of the most common tcpdump commands: (looks for packets from a src to dst, need to specify interface)
tcpdump nn-i eth2 host and host
08:02:15.043273 > S 1943270491:1943270491(0) win 65535

tcpdump -nni eth0
tcpdump -nni eth0 host
tcpdump -nni eth0 dst host and proto tcp
tcpdump -nni eth0 src net and proto tcp and portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port numbers
-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network
host = specifies a host,
port = specifies a port also portrange
proto = protocol ie tcp udp icmp

tcpdump -s0 -A -nni eth0 dst host
tcpdump -s0 -A -nni eth0 dst host and dst port 80
tcpdump -s0 -A -nni eth0 dst host and dst port 80 and src net 10.100.0/24
tcpdump -s0 -A -nni eth0 dst net
tcpdump -s0 -A -nni venet0 not port 22 and dst host and not src net
and not host and src net

-s0 = Setting snaplen to 0 means use the required length to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.

tcpdump -vv -c10000 -s0 -A -w bigfat.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-vv = displays number of packets captured
-w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80
-r = read from file

Watch everything, and remove what you know you don’t want to inspect again. What is left will stick out like a white Tshirt at a hack3rcon.
Example: finding an unauthorized proxy on port 8080 or a udp flood to port 53.

tcpdump -s0 -A -nni eth0 not port 22 and dst host and not src net
and not host not src net