Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
linux_wiki:tcpdump [2015/05/07 22:13] billdozor created |
linux_wiki:tcpdump [2016/02/24 09:23] billdozor [Max File Size, Log Rotate Capture] |
||
---|---|---|---|
Line 3: | Line 3: | ||
**General Information** | **General Information** | ||
- | Capturing packets with tcpdump | + | Capturing |
**Checklist** | **Checklist** | ||
- | * tcpdump | + | * Package: |
---- | ---- | ||
- | ===== Max File Size, Log Rotate Capture ===== | + | ====== Install Package ====== |
+ | |||
+ | Install tcpdump | ||
+ | <code bash> | ||
+ | yum -y install tcpdump | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Max File Size, Log Rotate Capture | ||
This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used. | This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used. | ||
+ | \\ | ||
+ | Start the capture (and initial output) | ||
<code bash> | <code bash> | ||
tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w / | tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w / | ||
+ | |||
+ | tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
</ | </ | ||
Line 27: | Line 40: | ||
100 MB per file x 50 rollover files = 5000 MB total disk space used. | 100 MB per file x 50 rollover files = 5000 MB total disk space used. | ||
+ | |||
+ | \\ | ||
+ | Stop the capture (and example output seen) | ||
+ | <code bash> | ||
+ | Ctrl+c | ||
+ | |||
+ | ^C313 packets captured | ||
+ | 314 packets received by filter | ||
+ | 0 packets dropped by kernel | ||
+ | </ | ||
+ | |||
---- | ---- | ||
+ | |||
+ | ====== Reading Pcaps ====== | ||
+ | |||
+ | To read a pcap file that was written with tcpdump using the " | ||
+ | |||
+ | <code bash> | ||
+ | tcpdump -qnnnX -r / | ||
+ | </ | ||
+ | |||
+ | Explanation | ||
+ | * -q : Print less protocol information so output lines are shorter | ||
+ | * -n : Do not convert IP addresses to host names | ||
+ | * -nn : Do not convert protocol and port numbers to names | ||
+ | * -X : Print data in addition to headers. Print in hex and ASCII. | ||
+ | * -r : Read packets from file | ||
+ | |||
+ | ---- | ||
+ |