TCPDump

tcpdump – dump traffic on a network

Synopsis:

tcpdump [-adeflnNOpqRStuvxX][-c count]

[-C file_size][-F file]

[-i interface][-m module][-r file]

[-s snaplen][-T type][-U user][-w file]

[-E algo:secret][expression]

Description:

Tcpdump prints the headers of packets on a network interface that matches the boolean expression.

-w flag, save the packet data to a file

-r flay, read from a saved packet file rather then read packets from a network interface

Tcpdump will continue capturing packets until it is interrupted (ctrl-c or kill command)

If it is started with -c flay, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or until specified number of packets are processed

When tcpdup is done capturing packets, it will report counts of:

-packets “received by filters”

-packets “dropped by kernel”

Note: You must be root but reading a saved packet file doesn’t require privileges

 

Options:

-a

Convert network and broadcast addresses to names

-c

exit after receiving count packets

-C

Before writing a raw packet to a savefile, check to see if file is larger than file_size and if it is, close the current savefile and open a new one.

-d

dump the comiled packet-matching code in a human readable from to standard output and stop

-e

print the link-level header on each dump line

-f

print ‘foreign internet addresses numerically instead of symbolically

-F

use file as input for the filter expression

-i

listen on interface

-I

useful if you want to see the data while capturing it

-m

load smi mib module definitions from file module

-n

don’t convert host addresses to names (got to avoid dns lookups)

-nn

don’t convert protocol and port numbers to names

-N

don’t print domain name qualifications of hosts

-q

less print protocol info so output is shorter

-r

read packets from file (that has been created with -w)

-S

print absolute rather then relative TCP sequence numbers

-T

force packets selected by expression to be interpreted the specified type

Currently known types:

-cnfp (cisco netflow protocol)

-rpc (remote procedure call

-rtp (real-time applications protocol)

-rtcp (real time application control protocol)

-snmp (simple network management protocol)

-vat (visual audio tool)

-wb (distributed white board)

-t

dont print a timestamp on each dump line

-tt

print an unformatted time stamp on each line

-u

print undecoded NFS handles

-w

write the raw packets to file rather then parsing and printing them out. they can later be printed with the -r option

-x

print each packet in hex

-X

when printing hex, print ascii too

Expressions:

type

qualifiers say what kind of thing the id name or number refers to.

possible types are:

-host (host foo)

-net (net 128.3)

-port (port 20)

if no type qualifier host is assumed

dir

qualifiers specify a particular transfer direction to and/or from id

possible directions are:

-src (src foo)

-dst (dst net 128.3)

-src or dst (src or dst port ftp-data)

– src and dst (src and dst port ftp-data)

‘src or dst’ is assumed

proto

qualifiers restrict the match to a particular protocol

possible protos are:

-ether

-fddi

-tr

-ip

-ip6

-arp

-rarp

-decnet

-tcp

-udp

 

Allowed primitives are:

 

dst host host

true if the IPv4/v6 destination field of the packet is host, which maybe the address or name

src host host

true if the ipv4/v6 source field of the packet is host

host host

true if the ipv4/v6 soure or destination of the packet is host

any of the above host expressions can be prepended with the keyboards

example:

ip host host

which is the same as:

ether proto \ip and host host

 

 

Advertisements