Tcpdump
Tcpdump is a Linux command-line utility used for sniffing in realtime. It also has the ability to parse and display packet information from PCAP formatted log files.
Capturing Packets
| Terminal |
| localhost:~ $ sudo tcpdump -s 65535 -i eth0 -w cap1.pcap |
This will capture all packets traversing interface eth0 in binary format (-w), and will save it to cap1.pcap.
Capturing HTTP
Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:
| Terminal |
| localhost:~ $ sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80 |
This will save MTU + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface eth0 to port80.pcap.
Real-time monitoring
Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)
| Terminal |
| localhost:~ $ sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4 |
This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add -w <file> before your libpcap match syntax to do that).
Replaying a PCAP
The great part about storing PCAP files is that you can search through them later using tcpdump. Some examples are:
| Terminal |
| localhost:~ $ sudo tcpdump -r port80.pcap -nn src host 1.2.3.4 |
This will print out a list of packets stored in port80.pcap from host 1.2.3.4
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
