Jump to content
  • Cowboy Denny
    Cowboy Denny

    By Cowboy Denny

    tcpdump

       (0 reviews)

    Basic Commands

    Identify Version 

    tcpdump --version

    The general syntax for the tcpdump command is as follows: 

    tcpdump [options] [expression]
    • The command options allow you to control the behavior of the command.
    • The filter expression defines which packets will be captured.

     

    Use the -D option to print a list of all available network interfaces that tcpdump can collect packets from: 

    sudo tcpdump -D

    For each interface, the command prints the interface name, a short description, and an associated index (number)

    To specify the interface on which you want to capture traffic, invoke the command with the -i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify the any interface: 

    sudo tcpdump -i any

     

    By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the -n option to disable the translation: 

    sudo tcpdump -n

     

    Instead of displaying the output on the screen, you can redirect it to a file.  Two options and its important you use the correct one depending on how you plan on reading the output.

    OPTION 1: text file

    This is great if you just want what would be displayed on the screen to be captured in a text file.  NOTE: this will more then likely not be readable by any of the software packages designed to analyze captures like the very popular Wireshark 

    sudo tcpdump -n -i any > file.out

    You can also watch the data while saving to a file using the tee command: 

    sudo tcpdump -n -l | tee file.out

    The -l option in the command above tells tcpdump to make the output line buffered. When this option is not used, the output will not be written on the screen when a new line is generated.

    OPTION 2: binary file

    This is the way you want to go if you plan on sending to someone or even yourself to analyze the capture in a tool such as Wireshark. 

    sudo tcpdump -w <filename>

    Example 

    sudo tcpdump -n -i any -w file.pcap

    or a more intense version of the command 

    tcpdump -s0 -nnnvi 0.0:nnnp -vw /var/tmp/appname_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap host 10.47.78.103

     

    Capture Filters

     

    WORKING DOCUMENT...  sorry for how incomplete it is

    Go to articles

    User Feedback

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest

Announcements



×
×
  • Create New...

Important Information

Privacy Policy

  I accept