Pursuit-Zone
pursuit \Pur*suit"\, n. 1. A following with a view to reach, accomplish, or obtain; endeavor to attain to or gain; as, the pursuit of knowledge; the pursuit of happiness; or the pursuit of pleasure.

www.Sunsky-online.com

OrionGadgets.com

Last update: Wed Feb 22 20:50:04 2012
How To Use "tcpdump"
Description Prerequisites Options Expressions Syntax Examples
Description [Top]
  • "tcpdump" is a program for capturing the network packets from the interface on a computer.
  • Generally, you must be root to use tcpdump.
  • This HOWTO is not a complete representation of the manpage. If you need more details, type "man tcpdump" at your command line and it will give you much more information. This is only intended as a cheat-sheet for people who actually have work to do. Protocol junkies should go read RFC-793.

Prerequisites [Top]

  • Unix, Linux, OS-X, or BSD.
  • A working tcpdump. Type "tcpdump" and press <enter>. If it starts dumping pages of output to the terminal, it works; press <ctrl-c> to stop it. Otherwise, it doesn't work and you need to install or repair the tcpdump/libpcap installation. The current version of tcpdump is available via anonymous FTP at ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
  • libpcap. There is usually a copy of this or a link to it at the same location where you found tcpdump.
  • Ethereal. This makes decoding TCP data streams a breeze. Download it from http://www.ethereal.com.
  • Some knowledge of TCP/IP is helpful so you know what you are looking at.

Some Useful Options [Top]

-a Attempt to convert network and broadcast addresses to names. See -n.
-c count Capture count packets and exit.
-f Print "foreign" addresses numerically rather than trying to resolve the hostname. This is a compatibility workaround for Sun's yp server.
-i interface Listen on interface. By default, tcpdump will use the lowest numbered interface not including the loopback interface. If you have four ethernet interfaces on your Linux box named eth0 - eth3, tcpdump will choose eth0 unless you specify another interface with this option.
-l Make STDOUT line buffered. This forces the STDOUT buffer to be flushed as each line is written so you can see the data while it is being captured.
-n Prints IP addresses as numbers rather than resolving them to hostnames. See -a.
-q Quiet mode. This option causes tcpdump to print less protocol-related information.
-s snaplen This option reads snaplen (snapshot length) bytes of data from each packet rather than the default of 68 (or 96 bytes on SunOS). Usually you can set this to "0" to capture the entire packet.
-t Don't print a timestamp on each line.
-tt Print an unformatted timestamp on each line.
-v Verbose output. TTL and type of service information is added to each packet.
-vv ("vee vee") Even more verbose output. Additional fields are printed if available in the packet.
-w file Write the raw packets to file rather than parsing and printing them to STDOUT.

Expressions [Top]

  • Expressions are used to filter the output of tcpdump by selecting which packets will be captured. If no expression is given, all packets will be captured. Please be aware that on very active connections and slower computers, packets may be dropped.

  • type
    • host - Used to specify which host IP address to listen for. e.g. host 192.168.100.101 will listen for packets going to or from the host at IP address 192.168.100.101.
    • net - Used to specify which network IP range to listen for. e.g. net 192.168.100.0 will listen for packets going to or from any host on the 192.168.100.0 subnet. This includes hosts at 192.168.100.101, 192.168.100.98, and 192.168.100.50 or any other IP address that starts with 192.168.100.x.
    • port - Used to specify which port to listen for. e.g. port 80 will listen for all HTTP traffic on port 80.

  • dir
    • src
    • dst
    • src or dst
    • src and dst

  • proto
    • ether
    • fddi
    • ip
    • arp
    • rarp
    • tcp
    • udp

Syntax [Top] 

     tcpdump [options] [expressions]

Examples [Top]

  1. Capture all HTTP traffic to or from yahoo.com coming in on eth1: 
         tcpdump -vvn -i eth1 host yahoo.com and port 80

  2. Capture all DNS traffic coming in on eth1 and save it to the file /tmp/dns.cap for viewing with Ethereal. 
         tcpdump -i eth1 -w /tmp/dns.cap port 53

OrionGadgets.com Accessories

Last update: Wed Feb 22 20:50:04 2012

Need a host? Click here to become part of the Pursuit-Zone!

Portions of this document were written by Van Jacobson, Craig Leres, Steven McCanne,
and others at Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.

All other content on this page is ©2001-04 by Jon Bieker
http://www.pursuit-zone.com