Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux_wiki:tcpdump [2015/11/19 09:03] billdozor |
linux_wiki:tcpdump [2016/02/24 09:23] billdozor [Max File Size, Log Rotate Capture] |
||
---|---|---|---|
Line 3: | Line 3: | ||
**General Information** | **General Information** | ||
- | Capturing/reading packets with tcpdump | + | Capturing |
**Checklist** | **Checklist** | ||
- | * tcpdump | + | * Package: |
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Install Package ====== | ||
+ | |||
+ | Install tcpdump | ||
+ | <code bash> | ||
+ | yum -y install tcpdump | ||
+ | </ | ||
---- | ---- | ||
Line 14: | Line 23: | ||
This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used. | This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used. | ||
+ | \\ | ||
+ | Start the capture (and initial output) | ||
<code bash> | <code bash> | ||
tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w / | tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w / | ||
+ | |||
+ | tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes | ||
</ | </ | ||
Line 27: | Line 40: | ||
100 MB per file x 50 rollover files = 5000 MB total disk space used. | 100 MB per file x 50 rollover files = 5000 MB total disk space used. | ||
+ | |||
+ | \\ | ||
+ | Stop the capture (and example output seen) | ||
+ | <code bash> | ||
+ | Ctrl+c | ||
+ | |||
+ | ^C313 packets captured | ||
+ | 314 packets received by filter | ||
+ | 0 packets dropped by kernel | ||
+ | </ | ||
---- | ---- | ||
Line 35: | Line 58: | ||
<code bash> | <code bash> | ||
- | tcpdump -qn -nn -X -r / | + | tcpdump -qnnnX -r / |
</ | </ | ||
Line 42: | Line 65: | ||
* -n : Do not convert IP addresses to host names | * -n : Do not convert IP addresses to host names | ||
* -nn : Do not convert protocol and port numbers to names | * -nn : Do not convert protocol and port numbers to names | ||
- | * -X : Print in hex and ASCII | + | * -X : Print data in addition to headers. |
* -r : Read packets from file | * -r : Read packets from file | ||
---- | ---- | ||
+ |