Difference between revisions of "Tcpdump"
| Line 1: | Line 1: | ||
| − | Tcpdump is a [[Linux]] command-line utility used for [[sniffing]] in realtime. It also has the ability to parse and display packet information from [[ | + | [http://www.tcpdump.org/ Tcpdump] is a [[Linux]] command-line utility used for [[sniffing]] in realtime. It also has the ability to parse and display packet information from [[PCAP]] formatted log files. |
| + | |||
| + | = Capturing Packets = | ||
| + | |||
| + | {{LinuxCMD|sudo tcpdump -s 65535 -i eth0 -w cap1.pcap}} | ||
| + | |||
| + | This will capture all packets traversing interface '''eth0''' in binary format ('''-w'''), and will save it to '''cap1.pcap'''. | ||
| + | |||
| + | = Capturing HTTP = | ||
| + | |||
| + | Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with: | ||
| + | |||
| + | {{LinuxCMD|sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80}} | ||
| + | |||
| + | This will save [[MTU]] + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface '''eth0''' to '''port80.pcap'''. | ||
| + | |||
| + | = Real-time monitoring = | ||
| + | |||
| + | Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark) | ||
| + | |||
| + | {{LinuxCMD|sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4}} | ||
| + | |||
| + | This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add '''-w <file>''' before your libpcap match syntax to do that). | ||
| + | |||
| + | = Replaying a PCAP = | ||
| + | |||
| + | The great part about storing PCAP files is that you can search through them later using tcpdump. Some examples are: | ||
| + | |||
| + | {{LinuxCMD|sudo tcpdump -r port80.pcap -nn src host 1.2.3.4}} | ||
| + | |||
| + | This will print out a list of packets stored in port80.pcap from host 1.2.3.4 | ||
| + | |||
{{expand}} | {{expand}} | ||
Latest revision as of 03:52, 22 October 2012
Tcpdump is a Linux command-line utility used for sniffing in realtime. It also has the ability to parse and display packet information from PCAP formatted log files.
Capturing Packets
| Terminal |
| localhost:~ $ sudo tcpdump -s 65535 -i eth0 -w cap1.pcap |
This will capture all packets traversing interface eth0 in binary format (-w), and will save it to cap1.pcap.
Capturing HTTP
Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:
| Terminal |
| localhost:~ $ sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80 |
This will save MTU + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface eth0 to port80.pcap.
Real-time monitoring
Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)
| Terminal |
| localhost:~ $ sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4 |
This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add -w <file> before your libpcap match syntax to do that).
Replaying a PCAP
The great part about storing PCAP files is that you can search through them later using tcpdump. Some examples are:
| Terminal |
| localhost:~ $ sudo tcpdump -r port80.pcap -nn src host 1.2.3.4 |
This will print out a list of packets stored in port80.pcap from host 1.2.3.4
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
