Differences

This shows you the differences between two versions of the page.

--- linux_wiki:tcpdump [2015/05/07 22:13]
billdozor created
+++ linux_wiki:tcpdump [2019/05/25 23:50] (current)
@@ Line 3: / Line 3: @@
 **General Information**
-Capturing packets with tcpdump
+Capturing and reading packets with tcpdump.
 **Checklist**
-  * tcpdump package installed
+  * Distro(s): Any
+  * Package: tcpdump
 ----
-===== Max File Size, Log Rotate Capture =====
+====== Install Package ======
+Install tcpdump
+<code bash>
+yum -y install tcpdump
+</code>
+----
+====== Max File Size, Log Rotate Capture ======
 This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used.
+\\
+Start the capture (and initial output)
 <code bash>
 tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w /tmp/mycapture.pcap
+tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
 </code>
@@ Line 27: / Line 41: @@
 MB per file x 50 rollover files = 5000 MB total disk space used.
+\\
+Stop the capture (and example output seen)
+<code bash>
+Ctrl+c
+^C313 packets captured
+packets received by filter
+packets dropped by kernel
+</code>
 ----
+====== Reading Pcaps ======
+To read a pcap file that was written with tcpdump using the "-w" option..
+<code bash>
+tcpdump -qnnnX -r /tmp/mycapture.pcap0
+</code>
+Explanation
+  * -q : Print less protocol information so output lines are shorter
+  * -n : Do not convert IP addresses to host names
+  * -nn : Do not convert protocol and port numbers to names
+  * -X : Print data in addition to headers. Print in hex and ASCII.
+  * -r : Read packets from file
+----