tcpdump Patterns
tcpdump patterns I’ve actually used. Every entry has a date and context.
Common Captures (Reference)
RADIUS Traffic
# Capture RADIUS auth + accounting on all interfaces
tcpdump -i any -nn port 1812 or port 1813EAP over LAN (802.1X)
# EAPoL frames -- wired 802.1X handshake
tcpdump -i eth0 -nn ether proto 0x888eDNS Queries
# All DNS traffic
tcpdump -i any -nn port 53Write to File for Wireshark Analysis
# Capture with rotation -- 100MB files, keep 10
tcpdump -i any -nn -w /tmp/capture-%Y%m%d-%H%M%S.pcap -C 100 -W 10 port 1812 or port 1813