Tcpdump is a packet capture for the Linux command line. This is by no means a full guide but a quick overview of some of the main commands.
The syntax below will capture all traffic with IP address of 172.16.1.1 and and IP in the network 172.16.1.0/24 with a port of udp/53. This will write it to a capture file for viewing in wireshark, with double verbosity.
tcpdump -vvi eth2 -s 1500 -w test.cap host 172.16.1.1 and net 172.16.1.0/24 and udp port 53
This will read the capture test.cap
tcpdump -r test.cap
To view the payload of the packet use the following commands :
- -X – Displays the in but ASCII and HEX.
- -A – Displays just the payload in ASCII
Tcpdump for windows can be downloaded here
Handy tcpdump flags for saving to files
· -w /var/log/blahblah – save pcap to file specified
· -C 50 – limits filesize to 50MB
· -W 2 – will create two pcap files (name-of-file0 and name-of-file1) and rotate once full. i.e. data is saved to name-of-file0 then when full name-of-file1. Once name-of-file1 is full again it will go back and overwrite 0.
· -s 0 – the s flag specifies size of packet to capture. 0 forces full packet.
· nohup <command to run> & – nohup allows a process to run even when the user exits and the “&” puts the process in the background. This is useful for long running pcaps, however make sure you note the process number so you can terminate it later with “kill <processID>
tcpdump -s 0 -n -C 50 -w /var/log/ticket-test.pcap -i 0.0 “(host x.x.x.x and tcp port yy) or (host z.z.z.z and tcp port yy)”
· Run tcpdump (filtering on hosts/ports) and save to file specified (-w) up to 50MB. Capture will NOT be rotated. Full packet will be captured (-s0)
nohup tcpdump –w /var/log/ticket-test.pcap -C 50 -W 2 -i 0.0 “(host x.x.x.x and tcp port yy) or (host z.z.z.z and tcp port yy)” &
· Run tcpdump (filtering again) saving to “/var/log-ticket-test.pcap0” and “/var/log-ticket-test.pcap1”. Two files due to –W2 flag. Captures will overwrite once full
· The tcpdump will run even when you quit the bash terminal (nohup) and will be put into the background after hitting enter (&)
· To kill this make a note of the process number provided and then do “kill <id>”. Can also get the process number from “ps aef | grep tcpdump” ensure you get the right process ID (and not another OR the parent process). Ask a senior colleague if unsure.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a UNIX expert?
Here is our hand-picked selection of the best courses you can find online:
UNIX Administration Fundamentals
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial