General Information
Capturing and reading packets with tcpdump.
Checklist
Install tcpdump
yum -y install tcpdump
This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used.
Start the capture (and initial output)
tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w /tmp/mycapture.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Explanation
100 MB per file x 50 rollover files = 5000 MB total disk space used.
Stop the capture (and example output seen)
Ctrl+c ^C313 packets captured 314 packets received by filter 0 packets dropped by kernel
To read a pcap file that was written with tcpdump using the “-w” option..
tcpdump -qnnnX -r /tmp/mycapture.pcap0
Explanation