Differences
This shows you the differences between two versions of the page.
linux_wiki:tcpdump [2015/11/19 09:03] billdozor |
linux_wiki:tcpdump [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Tcpdump ====== | ||
- | **General Information** | ||
- | |||
- | Capturing/ | ||
- | |||
- | **Checklist** | ||
- | * tcpdump package installed | ||
- | |||
- | ---- | ||
- | |||
- | ====== Max File Size, Log Rotate Capture ====== | ||
- | |||
- | This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used. | ||
- | |||
- | <code bash> | ||
- | tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w / | ||
- | </ | ||
- | |||
- | Explanation | ||
- | * port 80 : Capture on port 80 | ||
- | * -s 0 : Capture all packet contents | ||
- | * -vvv : Max verbose logging details | ||
- | * -C 100 : Store up to 100 MBs of data per file | ||
- | * -W 50 : Store 50 rollover files, then start over writing. (mycapture.pcap00 - mycapture.pcap49) | ||
- | * -w / | ||
- | |||
- | 100 MB per file x 50 rollover files = 5000 MB total disk space used. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Reading Pcaps ====== | ||
- | |||
- | To read a pcap file that was written with tcpdump using the " | ||
- | |||
- | <code bash> | ||
- | tcpdump -qn -nn -X -r / | ||
- | </ | ||
- | |||
- | Explanation | ||
- | * -q : Print less protocol information so output lines are shorter | ||
- | * -n : Do not convert IP addresses to host names | ||
- | * -nn : Do not convert protocol and port numbers to names | ||
- | * -X : Print in hex and ASCII | ||
- | * -r : Read packets from file | ||
- | |||
- | ---- |