Difference between revisions of "Tcpdump howto"
(→reading tcpdump captures) |
|||
| (5 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ||
| + | == capturing == | ||
| + | |||
| + | |||
| + | Changing packet size in the capture file: | ||
By default, when capturing packets into a file, it will save only 68 bytes of the data from each packet. The -s command line switch tells tcpdump how many bytes for each packet to save. Specifying 0 as a packet’s snapshot length tells tcpdump to save whole packet. | By default, when capturing packets into a file, it will save only 68 bytes of the data from each packet. The -s command line switch tells tcpdump how many bytes for each packet to save. Specifying 0 as a packet’s snapshot length tells tcpdump to save whole packet. | ||
| Line 10: | Line 14: | ||
| − | + | '''Showing link level headers (MAC addresses)''' | |
tcpdump -e -i ethxxx | tcpdump -e -i ethxxx | ||
| − | + | '''filtering for specific sources and destinations''' | |
tcpdump -nnei eth1-01 '((host 192.168.1.1 and host 172.16.0.1) or (host 10.0.0.1 and host 172.16.0.1))' | tcpdump -nnei eth1-01 '((host 192.168.1.1 and host 172.16.0.1) or (host 10.0.0.1 and host 172.16.0.1))' | ||
| + | '''filtering based on TCP flags''' | ||
| + | |||
| + | filter for packets with RST flag set | ||
| + | tcpdump -nnei eth0 'tcp[tcpflags] & tcp-rst != 0' | ||
| + | |||
| + | |||
| + | '''gentoo output file''' | ||
| + | |||
| + | On gentoo, the output file sometimes goes where it wants to, instead of where I tell it with the -o option. That location is... | ||
| − | |||
default location /var/lib/tcpdump/ | default location /var/lib/tcpdump/ | ||
| + | |||
| + | == reading tcpdump captures == | ||
| + | |||
| + | It is a pain sometimes to transfer tcpdump to another device for viewing in Wireshark or other utilities. The same filters that apply to capturing can be applied to reading the tcpdump capture file. | ||
| + | |||
| + | # tcpdump -r <path to file> | ||
| + | |||
| + | showing the data portion of a packet | ||
| + | |||
| + | # tcpdump -X -r <path to file> | ||
| + | |||
| + | double X will also display the link level headers | ||
| + | -XX | ||
| + | |||
| + | show absolute (not relative) sequence numbers | ||
| + | -S or --absolute-tcp-sequence-numbers | ||
[[Category:Linux]] | [[Category:Linux]] | ||
Latest revision as of 21:03, 28 January 2016
capturing
Changing packet size in the capture file:
By default, when capturing packets into a file, it will save only 68 bytes of the data from each packet. The -s command line switch tells tcpdump how many bytes for each packet to save. Specifying 0 as a packet’s snapshot length tells tcpdump to save whole packet.
example: tcpdump -w file.cap -s 0
UNIX tcpdump 3.9.4(Freebsd, ipso)
Showing link level headers (MAC addresses)
tcpdump -e -i ethxxx
filtering for specific sources and destinations
tcpdump -nnei eth1-01 '((host 192.168.1.1 and host 172.16.0.1) or (host 10.0.0.1 and host 172.16.0.1))'
filtering based on TCP flags
filter for packets with RST flag set
tcpdump -nnei eth0 'tcp[tcpflags] & tcp-rst != 0'
gentoo output file
On gentoo, the output file sometimes goes where it wants to, instead of where I tell it with the -o option. That location is...
default location /var/lib/tcpdump/
reading tcpdump captures
It is a pain sometimes to transfer tcpdump to another device for viewing in Wireshark or other utilities. The same filters that apply to capturing can be applied to reading the tcpdump capture file.
# tcpdump -r <path to file>
showing the data portion of a packet
# tcpdump -X -r <path to file>
double X will also display the link level headers
-XX
show absolute (not relative) sequence numbers
-S or --absolute-tcp-sequence-numbers
