Tutorial TCPdump

Valic —  June 28, 2010 — Leave a comment

TCPdump is a very powerful command line interface packetsniffer.

Step 1. Install TCPdump

apt-get install tcpdump

Stept 2. TCPdump use

Step 2.1 To display the Standard TCPdump output:

tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:14:25.060050 IP 89.35.90.202.clax.ro.27015 > h89-37-110-61.teleson.ro.27005: UDP, length 229
15:14:25.060071 IP 89.35.90.202.clax.ro.27015 > 86-124-241-9.rdsnet.ro.27005: UDP, length 374
15:14:25.060213 IP 86-124-240-65.rdsnet.ro.27005 > 89.35.90.202.clax.ro.27015: UDP, length 78
15:14:25.060236 IP 91-213-135-21.optic-bridge.com.ro.45249 > 89.38.255.34.28822: UDP, length 20
15:14:25.060240 IP 89.35.90.202.clax.ro.27015 > 86-124-240-65.rdsnet.ro.27005: UDP, length 221
15:14:25.060481 IP 89.35.90.202.clax.ro.27015 > 78-21-42-14.access.telenet.be.27005: UDP, length 163
15:14:25.060694 IP 89.35.90.202.clax.ro.27015 > user-ip-23-89-33-89-sel.rdsnav.ro.63087: UDP, length 224
15:14:25.060731 IP 89.35.90.202.clax.ro.32783 > ns1.clax.ro.domain: 65251+ PTR? 61.110.37.89.in-addr.arpa. (43)
15:14:25.060830 IP 89.35.90.202.clax.ro.27015 > 92.83.223.46.61499: UDP, length 113
15:14:25.060851 IP 89.35.90.202.clax.ro.38331 > 89.35.90.18.clax.ro.62613: P 2328008232:2328008428(196) ack 4034406897 win 410
15:14:25.060910 IP 89.35.90.202.clax.ro.27015 > 86-121-72-43.rdsnet.ro.27005: UDP, length 109
15:14:25.060966 IP 92.83.176.255.27005 > 89.35.90.202.clax.ro.27015: UDP, length 74
15:14:25.061020 IP 89.35.90.202.clax.ro.27015 > 95-65-79-185.starnet.md.27005: UDP, length 117

Step 2.2 Network interfaces available for the capture:


tcpdump -D
1.eth0
2.eth1
3.vmnet1
4.eth2
5.vmnet8
6.any (Pseudo-device that captures on all interfaces)
7.lo

Step 2.3 To display numerical addresses rather than symbolic (DNS) addresses:

tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:16:30.923169 IP 89.35.90.202.38331 > 89.35.90.18.62613: P 2328456744:2328456940(196) ack 4034413693 win 644
15:16:30.923325 IP 89.35.90.202.38331 > 89.35.90.18.62613: P 196:360(164) ack 1 win 644
^C15:16:30.923895 IP 89.37.110.61.27005 > 89.35.90.202.27015: UDP, length 90

Step 2.4  To display the quick output:

tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:17:03.118429 IP 89.35.90.202.clax.ro.38331 > 89.35.90.18.clax.ro.62613: tcp 196
15:17:03.119439 IP 89.35.90.202.clax.ro.53853 > ns1.clax.ro.domain: UDP, length 42
15:17:03.119631 IP host101-233-dynamic.245-95-r.retail.telecomitalia.it.11563 > 89.38.255.182.36307: UDP, length 20
15:17:03.119880 IP 79-113-85-203.rdsnet.ro.62621 > 89.35.90.202.clax.ro.27015: UDP, length 46
15:17:03.119903 IP user-ip-23-89-33-89-sel.rdsnav.ro.63087 > 89.35.90.202.clax.ro.27015: UDP, length 58
15:17:03.119913 IP 89.123.112.67.40328 > 89.38.255.34.63681: tcp 0
15:17:03.120376 IP 92.81.228.192.56560 > 89.35.90.202.clax.ro.27015: UDP, length 50
15:17:03.120625 IP 86-124-241-9.rdsnet.ro.27005 > 89.35.90.202.clax.ro.27015: UDP, length 76
15:17:03.120883 IP 92.83.176.255.27005 > 89.35.90.202.clax.ro.27015: UDP, length 70
15:17:03.121626 IP ns1.clax.ro.domain > 89.35.90.202.clax.ro.53853: UDP, length 143
15:17:03.121874 IP 109.197.81.28.17857 > 89.38.255.34.63383: tcp 0
15:17:03.121879 IP 109.197.81.28.17857 > 89.38.255.34.63383: tcp 0

Step 2.5  To capture the traffic of a particular interface:

tcpdump -i eth0

Step 2.6  To capture the UDP traffic:

tcpdump udp

Step 2.7  To capture the TCP port 80 traffic:

tcpdump port http

Step 2.8 To stop the capture after 20 packets:

tcpdump -c 20

Step 2.9 To send the capture output in a file instead of directly on the screen:

tcpdump -w tcpdump_capture.log

Step 2.10 To read a capture file:

tcpdump -r capture.log

Valic

Posts Twitter Facebook

Editor in Chief at Debian-Tutorials, Linux enthusiast.

No Comments

Be the first to start the conversation.

Leave a Reply