tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.
In this post, i will try to show you how to use tcpdump command and capture required package.
In this post, i will try to show you how to use tcpdump command and capture required package.
- 'tcpdump' - capture the traffic passing through 'eth0' or management interface.
- 'tcpdump -i eth1' - use minus (-) i option to capture packet passing through eth1
- 'tcpdump -e -i eth1' - use minus (-) e option to capture packets passing through eth1 with ethernet header details.
- 'tcpdump -i eth1 tcp' - capture tcp packets only which are passing through eth1
- 'tcpdump -i eth1 tcp and src host 2.2.2.2' - capture tcp packets which is sent from 2.2.2.2
- 'tcpdump -i eth1 tcp or src host 2.2.2.2' - capture tcp packets or packets whose src ip is 2.2.2.2
- 'tcpdump -i eth1 tcp and greater 1000' - capture tcp packets whose length is greater then 1000B.
- tcpdump -n -i eth1 tcp : minus (-) n used to avoid DNS lookups. Don't convert host addresses to names.
Save tcpdump in a file- use minus (-) w option which can be read using WhireShark.
- 'tcpdump -i eth1 -w /dir/file.pcap tcp and host 10.102.174.42'
Read .pcap file using tcpdump
- 'tcpdump -e -r src9.pcap | grep http'
All available filters that you can apply to capture required packets -
- dst host 2.2.2.2 or dst host 9901::123 - destination host
- host 2.2.2.2 or host 9901::123 - has this IP
- ether src fa:38:3c:50:63:72
- ether dst, ether host
- src port 21
- dst port 80
- src portrange 10-90
- less 100
- vlan 5
