Jump to content

  • tcpdump

    Cowboy Denny

    By Cowboy Denny

     Share

    Basic Commands

    Identify Version 

    tcpdump --version

    The general syntax for the tcpdump command is as follows: 

    tcpdump [options] [expression]
    • The command options allow you to control the behavior of the command.
    • The filter expression defines which packets will be captured.

     

    Use the -D option to print a list of all available network interfaces that tcpdump can collect packets from: 

    sudo tcpdump -D

    For each interface, the command prints the interface name, a short description, and an associated index (number)

    To specify the interface on which you want to capture traffic, invoke the command with the -i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify the any interface: 

    sudo tcpdump -i any

     

    By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the -n option to disable the translation: 

    sudo tcpdump -n

     

    Instead of displaying the output on the screen, you can redirect it to a file.  Two options and its important you use the correct one depending on how you plan on reading the output.

    OPTION 1: text file

    This is great if you just want what would be displayed on the screen to be captured in a text file.  NOTE: this will more then likely not be readable by any of the software packages designed to analyze captures like the very popular Wireshark 

    sudo tcpdump -n -i any > file.out

    You can also watch the data while saving to a file using the tee command: 

    sudo tcpdump -n -l | tee file.out

    The -l option in the command above tells tcpdump to make the output line buffered. When this option is not used, the output will not be written on the screen when a new line is generated.

    OPTION 2: binary file

    This is the way you want to go if you plan on sending to someone or even yourself to analyze the capture in a tool such as Wireshark. 

    sudo tcpdump -w <filename>

    Example 

    sudo tcpdump -n -i any -w file.pcap

    or a more intense version of the command 

    tcpdump -s0 -nnnvi 0.0:nnnp -vw /var/tmp/appname_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap host 10.47.78.103

     

    Capture Filters

     

     Share
    Go to commands

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

Announcements



×
×
  • Create New...