# tcpdump
[tcpdump](https://www.tcpdump.org/) helps you sniff and capture packets!

## Raw capture
This captures 2 gigs in total, then stops:

```
sudo tcpdump -w /tmp/capture.cap -C 2048 -W 1 -c 2000000
```

## Raw "circular" capture
Do a "circular" capture of raw data in separate files of 200mb each.  After the sixth file of 200mb is done getting written, tcpdump will start to overwrite the first file:

```
sudo tcpdump -w /tmp/capture.cap -C 200 -W 6
``` 

## Capture only inbound pings
```
sudo tcpdump -i NETWORKINTERFACENAME icmp and dst host YOUR.LOCAL.IP.ADDRESS
```

## Capture traffic coming in from a single host while excluding ARP and UDP

```
sudo tcpdump -i eth0 src host 1.2.3.4 and not arp -w capture.pcap -vvv -U
```

### Then to see just the ports that people tried to connect to you on

```
sudo tcpdump -r 2024-07-16-1741-capture.pcap not udp and not icmp -nn -tttt
```

## Capture traffic from specific host and output to log
```
sudo tcpdump -i ens18 -nn -s0 -vvv -tttt host 1.2.3.4 | tee tcpdump_$(date +%F_%H-%M-%S).log
```