Some examples of using tcpdump.
Show all packets received from host 123.123.123.123tcpdump -r $i src host 123.123.123.123
Show all TCP packets received from host 123.123.123.123 except the RCP RESET packetstcpdump -r $i src host 123.123.123.123 and tcp[tcpflags] & tcp-rst==0
Show all UDP packets received from host 123.123.123.123tcpdump -r $i src host 123.123.123.123 and udp
Show all ICMP packets received from host 123.123.123.123tcpdump -r $i src host 123.123.123.123 and icmp
Extract the TTL value from the packets received from host 123.123.123.123tcpdump -vvv -r $i src host 123.123.123.123 | grep -o "ttl [[:digit:]]*," | sort | uniq
When replaying a series of stored packets, tcpdump will write the name of the replayed file to error output. To ignore this output, redirect the error output (or output stream 2) to /dev/null:for i in *.dump; do tcpdump -r $i 2> /dev/null; done
For a sample of IP addresses specified in a file called input.txt, replay the stored packets and count how many ICMP packets were received from which host. This is ideal to see whether hosts responded to ICMP packets.while read ip; do echo -n "$ip : "; for i in *.dump; do tcpdump -r $i src host $ip and icmp 2> /dev/null; done | wc -l; done < input.txt