Questions about this topic? Sign up to ask in the talk tab.

Tcpdump

From NetSec
Revision as of 03:52, 22 October 2012 by User (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Tcpdump is a Linux command-line utility used for sniffing in realtime. It also has the ability to parse and display packet information from PCAP formatted log files.

Capturing Packets

Terminal

localhost:~ $ sudo tcpdump -s 65535 -i eth0 -w cap1.pcap

This will capture all packets traversing interface eth0 in binary format (-w), and will save it to cap1.pcap.

Capturing HTTP

Let's say you wanted to capture all port 80 traffic for later analysis, you can do that with:

Terminal

localhost:~ $ sudo tcpdump -s 1700 -i eth0 -w port80.pcap dst port 80

This will save MTU + 200 Application layer bytes matching destination port 80 (this is incoming or outgoing) on interface eth0 to port80.pcap.

Real-time monitoring

Tcpdump is an awesome tool for real-time packet monitoring, and displays all sorts of useful information (you can also use the pcap later in Wireshark)

Terminal

localhost:~ $ sudo tcpdump -vv -nn -s 1700 dst host 1.2.3.4

This will print a real-time list of incoming packets destined for host 1.2.3.4 on any interface (but it will not save as pcap, add -w <file> before your libpcap match syntax to do that).

Replaying a PCAP

The great part about storing PCAP files is that you can search through them later using tcpdump. Some examples are:

Terminal

localhost:~ $ sudo tcpdump -r port80.pcap -nn src host 1.2.3.4

This will print out a list of packets stored in port80.pcap from host 1.2.3.4


This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.