{"id":937,"date":"2008-12-10T17:33:25","date_gmt":"1999-01-01T00:00:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/?p=937"},"modified":"2021-07-27T16:58:52","modified_gmt":"2021-07-27T16:58:52","slug":"unix-tcpdump-2","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/os\/unix\/general-unix\/unix-tcpdump-2.html","title":{"rendered":"A Look into Tcpdump"},"content":{"rendered":"
Tcpdump is a packet capture for the Linux command line. This is by no means a full guide but a quick overview of some of the main commands.<\/p>\n
The syntax below will capture all traffic with IP address of 172.16.1.1 and and IP in the network 172.16.1.0\/24 with a port of udp\/53. This will write it to a capture file for viewing in wireshark, with double verbosity.<\/p>\n
tcpdump -vvi eth2 -s 1500 -w test.cap host 172.16.1.1 and net 172.16.1.0\/24 and udp port 53<\/pre>\nThis will read the capture test.cap<\/p>\n
tcpdump -r test.cap<\/p>\n
To view the payload of the packet use the following commands :<\/p>\n
Tcpdump for windows can be downloaded here<\/a><\/p>\n Handy tcpdump flags for saving to files<\/p>\n \u00b7 -w \/var\/log\/blahblah \u2013 save pcap to file specified<\/p>\n \u00b7 -C 50 \u2013 limits filesize to 50MB<\/p>\n \u00b7 -W 2 \u2013 will create two pcap files (name-of-file0 and name-of-file1) and rotate once full. i.e. data is saved to name-of-file0 then when full name-of-file1. Once name-of-file1 is full again it will go back and overwrite 0.<\/p>\n \u00b7 -s 0 \u2013 the s flag specifies size of packet to capture. 0 forces full packet.<\/p>\n \u00b7 nohup <command to run> & – nohup allows a process to run even when the user exits and the “&” puts the process in the background. This is useful for long running pcaps, however make sure you note the process number so you can terminate it later with “kill <processID><\/p>\n Some examples<\/strong><\/p>\n tcpdump -s 0 -n -C 50 -w \/var\/log\/ticket-test.pcap -i 0.0 “(host x.x.x.x and tcp port yy) or (host z.z.z.z and tcp port yy)”<\/p>\n \u00b7 Run tcpdump (filtering on hosts\/ports) and save to file specified (-w) up to 50MB. Capture will NOT be rotated. Full packet will be captured (-s0)<\/p>\n nohup tcpdump \u2013w \/var\/log\/ticket-test.pcap -C 50 -W 2 -i 0.0 “(host x.x.x.x and tcp port yy) or (host z.z.z.z and tcp port yy)” &<\/p>\n \u00b7 Run tcpdump (filtering again) saving to “\/var\/log-ticket-test.pcap0” and “\/var\/log-ticket-test.pcap1”. Two files due to \u2013W2 flag. Captures will overwrite once full<\/p>\n \u00b7 The tcpdump will run even when you quit the bash terminal (nohup) and will be put into the background after hitting enter (&)<\/p>\n \u00b7 To kill this make a note of the process number provided and then do “kill <id>”. Can also get the process number from “ps aef | grep tcpdump” ensure you get the right process ID (and not another OR the parent process). Ask a senior colleague if unsure.<\/p>\n","protected":false},"excerpt":{"rendered":" Tcpdump is a packet capture for the Linux command line. This is by no means a full guide but a quick overview of some of the main commands. The syntax below will capture all traffic with IP address of 172.16.1.1 and and IP in the network 172.16.1.0\/24 with a port of udp\/53. This will write … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54],"tags":[],"yoast_head":"\n