Difference between revisions of "Tcpdump howto"
From thelinuxwiki
| Line 14: | Line 14: | ||
| − | + | '''Showing link level headers (MAC addresses)''' | |
tcpdump -e -i ethxxx | tcpdump -e -i ethxxx | ||
| − | + | '''filtering for specific sources and destinations''' | |
tcpdump -nnei eth1-01 '((host 192.168.1.1 and host 172.16.0.1) or (host 10.0.0.1 and host 172.16.0.1))' | tcpdump -nnei eth1-01 '((host 192.168.1.1 and host 172.16.0.1) or (host 10.0.0.1 and host 172.16.0.1))' | ||
| − | + | '''gentoo output file''' | |
| + | |||
| + | On gentoo, the output file sometimes goes where it wants to, instead of where I tell it with the -o option. That location is... | ||
| + | |||
default location /var/lib/tcpdump/ | default location /var/lib/tcpdump/ | ||
[[Category:Linux]] | [[Category:Linux]] | ||
Revision as of 19:28, 28 April 2014
capturing
Changing packet size in the capture file:
By default, when capturing packets into a file, it will save only 68 bytes of the data from each packet. The -s command line switch tells tcpdump how many bytes for each packet to save. Specifying 0 as a packet’s snapshot length tells tcpdump to save whole packet.
example: tcpdump -w file.cap -s 0
UNIX tcpdump 3.9.4(Freebsd, ipso)
Showing link level headers (MAC addresses)
tcpdump -e -i ethxxx
filtering for specific sources and destinations
tcpdump -nnei eth1-01 '((host 192.168.1.1 and host 172.16.0.1) or (host 10.0.0.1 and host 172.16.0.1))'
gentoo output file
On gentoo, the output file sometimes goes where it wants to, instead of where I tell it with the -o option. That location is...
default location /var/lib/tcpdump/
