Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Tcpdump"

From NetSec
Jump to: navigation, search
(Created page with "Tcpdump is a Linux command-line utility used for sniffing in realtime. It also has the ability to parse and display packet information from pcap formatted log files.")
 
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
Tcpdump is a [[Linux]] command-line utility used for [[sniffing]] in realtime.  It also has the ability to parse and display packet information from [[pcap]] formatted log files.
+
[http://www.tcpdump.org/ Tcpdump] is a [[Linux]] command-line utility used for [[sniffing]] in realtime.  It also has the ability to parse and display packet information from [[PCAP]] formatted log files.
 +
 
 +
= Capturing Packets =
 +
 
 +
  {{LinuxCMD|sudo tcpdump -s 65535 -i eth0 -w cap1.pcap}}
 +
 
 +
This will capture all packets traversing interface '''eth0''' in binary format ('''-w'''), and will save it to '''cap1.pcap'''.
 +
 
 +
= Capturing HTTP =
 +
 
 +
Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:
 +
 
 +
  {{LinuxCMD|sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80}}
 +
 
 +
This will save [[MTU]] + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface '''eth0''' to '''port80.pcap'''.
 +
 
 +
= Real-time monitoring =
 +
 
 +
Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)
 +
 
 +
  {{LinuxCMD|sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4}}
 +
 
 +
This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add '''-w <file>''' before your libpcap match syntax to do that).
 +
 
 +
= Replaying a PCAP =
 +
 
 +
The great part about storing PCAP files is that you can search through them later using tcpdump.  Some examples are:
 +
 
 +
{{LinuxCMD|sudo tcpdump -r port80.pcap -nn src host 1.2.3.4}}
 +
 
 +
This will print out a list of packets stored in port80.pcap from host 1.2.3.4
 +
 
 +
 
 +
 
 +
{{expand}}

Latest revision as of 03:52, 22 October 2012

Tcpdump is a Linux command-line utility used for sniffing in realtime. It also has the ability to parse and display packet information from PCAP formatted log files.

Capturing Packets

Terminal

localhost:~ $ sudo tcpdump -s 65535 -i eth0 -w cap1.pcap

This will capture all packets traversing interface eth0 in binary format (-w), and will save it to cap1.pcap.

Capturing HTTP

Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:

Terminal

localhost:~ $ sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80

This will save MTU + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface eth0 to port80.pcap.

Real-time monitoring

Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)

Terminal

localhost:~ $ sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4

This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add -w <file> before your libpcap match syntax to do that).

Replaying a PCAP

The great part about storing PCAP files is that you can search through them later using tcpdump. Some examples are:

Terminal

localhost:~ $ sudo tcpdump -r port80.pcap -nn src host 1.2.3.4

This will print out a list of packets stored in port80.pcap from host 1.2.3.4


This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.