## == capture plaintext passwords
> tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

## == capture plaintext passwords from file
> tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A -r localnet-trace.pcap | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

## == extract http passwords in POST requests
> tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

## == capture ftp credentials and commands
>tcpdump -nn -v port ftp or ftp-data

## == trace to pcap file
> tcpdump -s 0 -i any -w pcap-trace.pcap

## == https traffic
> tcpdump -nnSX port 443

## == filter
> tcpdump host 1.1.1.1
> tcpdump src 1.1.1.1
> tcpdump dst 1.0.0.1
## == by network
> tcpdump net 1.2.3.0/24

## == content in HEX
> tcpdump -c 1 -X icmp

## == port specific
> tcpdump port 3389
> tcpdump src port 1025

## == only protocol
> tcpdump icmp

## == only v6 traffic
> tcpdump ip6

## == portrange
> tcpdump portrange 21-23

## == per package size
> tcpdump less 32
> tcpdump greater 64
> tcpdump <= 128

## == dump to file
> tcpdump port 80 -w bar

## == read file
> tcpdump -r foo

## == view raw output
> tcpdump -ttnnvvS

## == from specific ip and destined for a specific port
> tcpdump -nnvvS src 10.0.0.3 and dst port 3389

## == from one network to another
> tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

## == non icmp traffic going to a specific ip
> tcpdump dst 192.168.0.2 and src net and not icmp

## == traffic from a host that isn’t on a specific port
> tcpdump -vv src mars and not dst port 22
> tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

## == isolate tcp flags

> tcpdump 'tcp[13] & 4!=0'
> tcpdump 'tcp[tcpflags] == tcp-rst'

## == Isolate TCP SYN flags.
> tcpdump 'tcp[13] & 2!=0'
> tcpdump 'tcp[tcpflags] == tcp-syn'

## == Isolate packets that have both the SYN and ACK flags set.
> tcpdump 'tcp[13]=18'

## == Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field.
## == Isolate TCP URG flags.
> tcpdump 'tcp[13] & 32!=0'
> tcpdump 'tcp[tcpflags] == tcp-urg'

## == Isolate TCP ACK flags.
> tcpdump 'tcp[13] & 16!=0'
> tcpdump 'tcp[tcpflags] == tcp-ack'

## == Isolate TCP PSH flags.
> tcpdump 'tcp[13] & 8!=0'
> tcpdump 'tcp[tcpflags] == tcp-push'

## == Isolate TCP FIN flags.
> tcpdump 'tcp[13] & 1!=0'
> tcpdump 'tcp[tcpflags] == tcp-fin'

## == everyday recipe examples
## == both syn and rst set
> tcpdump 'tcp[13] = 6'

## == find http user agents
## ==The -l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like grep.
> tcpdump -vvAls0 | grep 'User-Agent:'

## == cleartext get requests
> tcpdump -vvAls0 | grep 'GET'

## == find http host headers
> tcpdump -vvAls0 | grep 'Host:'

## == find http cookies
> tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

## == find ssh connections
## == This one works regardless of what port the connection comes in on, because it’s getting the banner response.
> tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

## == find dns traffic
> tcpdump -vvAs0 port 53

## == find ftp traffic
> tcpdump -vvAs0 port ftp or ftp-data

## == find ntp traffic
> tcpdump -vvAs0 port 123

## == find cleartext passwords
> tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

## == find traffic with evil bit
## == There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.
> tcpdump 'ip[6] & 128 != 0'

## == options
-X : Show the packet’s contents in both hex and ascii.
-XX : Same as -X, but also shows the ethernet header.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-i eth0 : Listen on the eth0 interface.
-vv : Verbose output (more v’s gives more output).
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

and or &&
OR
or or ||
EXCEPT
not or !