Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Tcpdump"

From NetSec
Jump to: navigation, search
 
Line 1: Line 1:
Tcpdump is a [[Linux]] command-line utility used for [[sniffing]] in realtime.  It also has the ability to parse and display packet information from [[pcap]] formatted log files.
+
[http://www.tcpdump.org/ Tcpdump] is a [[Linux]] command-line utility used for [[sniffing]] in realtime.  It also has the ability to parse and display packet information from [[PCAP]] formatted log files.
 +
 
 +
= Capturing Packets =
 +
 
 +
  {{LinuxCMD|sudo tcpdump -s 65535 -i eth0 -w cap1.pcap}}
 +
 
 +
This will capture all packets traversing interface '''eth0''' in binary format ('''-w'''), and will save it to '''cap1.pcap'''.
 +
 
 +
= Capturing HTTP =
 +
 
 +
Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:
 +
 
 +
  {{LinuxCMD|sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80}}
 +
 
 +
This will save [[MTU]] + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface '''eth0''' to '''port80.pcap'''.
 +
 
 +
= Real-time monitoring =
 +
 
 +
Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)
 +
 
 +
  {{LinuxCMD|sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4}}
 +
 
 +
This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add '''-w <file>''' before your libpcap match syntax to do that).
 +
 
 +
= Replaying a PCAP =
 +
 
 +
The great part about storing PCAP files is that you can search through them later using tcpdump.  Some examples are:
 +
 
 +
{{LinuxCMD|sudo tcpdump -r port80.pcap -nn src host 1.2.3.4}}
 +
 
 +
This will print out a list of packets stored in port80.pcap from host 1.2.3.4
 +
 
  
  
 
{{expand}}
 
{{expand}}

Latest revision as of 03:52, 22 October 2012

Tcpdump is a Linux command-line utility used for sniffing in realtime. It also has the ability to parse and display packet information from PCAP formatted log files.

Capturing Packets

Terminal

localhost:~ $ sudo tcpdump -s 65535 -i eth0 -w cap1.pcap

This will capture all packets traversing interface eth0 in binary format (-w), and will save it to cap1.pcap.

Capturing HTTP

Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:

Terminal

localhost:~ $ sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80

This will save MTU + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface eth0 to port80.pcap.

Real-time monitoring

Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)

Terminal

localhost:~ $ sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4

This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add -w <file> before your libpcap match syntax to do that).

Replaying a PCAP

The great part about storing PCAP files is that you can search through them later using tcpdump. Some examples are:

Terminal

localhost:~ $ sudo tcpdump -r port80.pcap -nn src host 1.2.3.4

This will print out a list of packets stored in port80.pcap from host 1.2.3.4


This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.