FreeKB - Linux Commands tcpdump command
Linux Commands - tcpdump command

On a Linux system, let's say the ip address command returns the following. Notice in this example that there are two interfaces, lo and eth0.

~]# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:64:f5:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.5/24 brd 192.168.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe64:f594/64 scope link
       valid_lft forever preferred_lft forever

 

The tcpdump command followed by the interface that you want to view the packets against (eth0 in this example) should display the packets being processed by the interface.

tcpdump -i eth0

 

Something like this should be displayed.

23:32:18.257281 IP server1.example.com.ssh > localhost.58903: Flags [P.], seq 1618192:1618432, ack 1825, win 305, length 240
23:32:18.257291 IP localhost.58903 > server1.example.com.ssh: Flags [.], ack 1601808, win 510, length 0
23:32:18.257375 IP localhost.58903 > server1.example.com.ssh: Flags [.], ack 1602288, win 508, length 0
23:32:18.257391 IP localhost.58903 > server1.example.com.ssh: Flags [.], ack 1602528, win 512, length 0
23:32:18.257395 IP localhost.58903 > server1.example.com.ssh: Flags [.], ack 1602768, win 511, length 0
23:32:18.257398 IP localhost.58903 > server1.example.com.ssh: Flags [P.], seq 1825:1921, ack 1602768, win 511, length 96
23:32:18.257437 IP server1.example.com.ssh > localhost.58903: Flags [P.], seq 1618432:1618928, ack 1921, win 305, length 496
23:32:18.257540 IP server1.example.com.ssh > localhost.58903: Flags [P.], seq 1618928:1619712, ack 1921, win 305, length 784
^C
8041 packets captured
8041 packets received by filter
0 packets dropped by kernel

 


Redirect output to a file

The -w option can be used to redirect the output to a file. In this example, the output will be written to capture.pcap (which could then be examined using WireShark).

tcpdump -i eth0 -w capture.pcap 

 


Verbose

The following flags will add additional columns to the output

  • -v (basic verbose)
  • -vv (more verbose)
  • -vvv (very verbose)

The -v option produces basic verbose output, and the -w option writes the output to a file, instead of the console.

tcpdump -i eth0 -v

 


The capture.pcap file(s) that will be created can become quite large (MB or even GB). For this reason, you need to first ensure the directory that will contain the capture.pcap file has plenty of available disk space. Use the df -h command to locate a directory that has plenty of available disk space, and then use the cd (change directory) command to move into the directory that has plenty of disk space.

df -h

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter ea007 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |