adam's notes

tcpdump

tcpdump is a UNIX/Linux command-line packet capture utility.

  • classic sniffer developed in the 1980s
  • provides a user interface to the libpcap library
  • can filter traffic
  • runs only on UNIX-like operating systems
    • Similar Windows tool called windump
  • well suited to scripting scenarios and for hosts with no GUI

Usage

  • basic syntax: tcpdump -i eth0
    • will display captured packets until halted manually
  • switches/options:
    • -w: display captured packets to the console and write capture data to pcap format files
      • e.g., tcpdump -i eth0 -w capture.pcap
    • -r: read the contents of a capture file
    • -v, -vv, -vvv: increase the amount of detail shown about each frame
    • -e: shows the Ethernet (data link) header
    • -n: show addresses in numeric format (don’t resolve host names)
    • -nn: show addresses and ports in numeric format
    • -X: capture the packet payload in hex and ASCII
      • -XX includes the data link header
    • -s <bytes>: set the snap length for the data payload
      • by default, tcpdump captures the first 96 bytes of the data payload
      • to capture the full payload, set snap length to zero (-s 0)
  • often used with a filter expression:
    • Type
      • Filter by hostnetport, or portrange
        • host: capture source and destination traffic from the specified IP or hostname
    • Direction
      • Filter by source (src) or destination (dst) parameters (hostnetwork, or port)
    • Protocol
      • Filter by a named protocol rather than port number (for example, arpicmpipip6tcpudp, and so on)
  • can combine filter expressions with Boolean operators:
    • and &&
    • or ||
    • not !
  • filter syntax can use parentheses to group expressions
    • complex expressions should be enclosed by quotes
    • e.g.,
      • command filters frames to those with source IP 10.1.0.100 and destination port 53 or 80
      • tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"

Info

ngrep is another packet capture and analysis tool

  • uses standard filter syntax
  • supports use of regular expressions to search and filter capture output

Can use netcat tool to copy network traffic from one host to another for analysis

Use Case

Helpful for real-time network troubleshooting and capturing packets for later analysis.

Graph View

Backlinks