tcpdump - done reading

What is tcpdump?

The tcpdump is simple command line program that can be used to capture or dump traffic on our network.

What is the basic syntax for using tcpdump?

tcpdump [options] [expression]

What is the purpose of the -C option?

Specify the file size. Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

What is the purpose of the -w option?

Specify the name of the output file. Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is “-”. This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received.

The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended.

What is the purpose of the -W option?

When used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.

What is the purpose of the -G option?

If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous.

If used in conjunction with the -C option, filenames will take the form of ‘file<count>’.

How can we capture to a file (and use wireshark to display the captured traffic)?

tcpdump -n -i eth1 -w output.cap 'src or dst port 80'
tcpdump -n -i lo -w output.cap 'tcp and port 3000'

Notice that we must specify the network interface, otherwise, tcpdump will default to the first network interface, which is usually eth0, which might or might not be the right network interface for the data or traffic that we want to capture.

What is the purpose of the -n option?

Do not convert addresses and port numbers to names.

What is the purpose of the -s option?

Specify the snapshot length. Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets truncated because of a limited snapshot are indicated in the output with “[|proto]”, where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 262144, for backwards compatibility with recent older versions of tcpdump.

How can we capture traffic from a particular source and write it to file?

tcpdump -i em1 -w MailCapture.pcap -n 'src'

How can we capture smtp traffic?

tcpdump -i em1 -w MailCapture.pcap -n 'tcp and port 25'

How can we display DNS traffic?

tcpdump -i eth1 'udp port 53'

How can we display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets?

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

How can we display all FTP session to a particular IP?

tcpdump -i eth1 '(dst and (port 21 or 20)'

How can we display all HTTP session to a particular IP?

tcpdump -ni eth0 '(dst and (tcp and port http)'

How can we capture and display MySQL traffic?

tcpdump -c 1000000 -s 1000 -A -n -p port 3306 | 
  grep SELECT | sed 's/\/\*.*\*\///g' | sed 's/.*\(SELECT.*\)/\1/gI' | sort | uniq -c | sort -r -n -k 1,1 | head -5
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License