tcpdump port 53 and 'udp[11] & 8 = 0' and 'udp[11] & 4 = 0' and 'udp[11] & 2 = 2' and 'udp[11] & 1 = 0'

tcpdump -eeeni any icmp

even more awesomeness: tshark can look inside your packets

So, now we know how to filter by IP and stuff, and use wireshark. Next, I want to tell you about tshark, which is a command line tool that comes with Wireshark.

tcpdump doesn't know about HTTP or other network protocols. It knows pretty much everything about TCP but it doesn't care what you put inside your TCP packets. tshark knows all about what's inside your TCP packets, though!

Let's say I wanted to spy on all GET requests happening on my machine. That's super easy with tshark:

$ sudo tshark -i any \
            -Y 'http.request.method == "GET"' \
            -T fields \
            -e http.request.method -e http.request.uri -e ip.dst
GET   /hello.html     54.186.13.33
GET   /awesome.html   172.217.3.131
GET   /               172.217.3.131

Nice!

tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

<3