General Information

Capturing and reading packets with tcpdump.

Checklist

• Distro(s): Any
• Package: tcpdump

Install tcpdump

yum -y install tcpdump

This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used.

Start the capture (and initial output)

tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w /tmp/mycapture.pcap
 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

Explanation

• port 80 : Capture on port 80
• -s 0 : Capture all packet contents
• -vvv : Max verbose logging details
• -C 100 : Store up to 100 MBs of data per file
• -W 50 : Store 50 rollover files, then start over writing. (mycapture.pcap00 - mycapture.pcap49)
• -w /tmp/mycapture.pcap : location and name of capture log(s)

100 MB per file x 50 rollover files = 5000 MB total disk space used.

Stop the capture (and example output seen)

Ctrl+c
 
^C313 packets captured
314 packets received by filter
0 packets dropped by kernel

To read a pcap file that was written with tcpdump using the “-w” option..

tcpdump -qnnnX -r /tmp/mycapture.pcap0

Explanation

• -q : Print less protocol information so output lines are shorter
• -n : Do not convert IP addresses to host names
• -nn : Do not convert protocol and port numbers to names
• -X : Print data in addition to headers. Print in hex and ASCII.
• -r : Read packets from file