Tcpdump
General Information
Capturing and reading packets with tcpdump.
Checklist
- Distro(s): Any
- Package: tcpdump
Install Package
Install tcpdump
yum -y install tcpdump
Max File Size, Log Rotate Capture
This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used.
Start the capture (and initial output)
tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w /tmp/mycapture.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Explanation
- port 80 : Capture on port 80
- -s 0 : Capture all packet contents
- -vvv : Max verbose logging details
- -C 100 : Store up to 100 MBs of data per file
- -W 50 : Store 50 rollover files, then start over writing. (mycapture.pcap00 - mycapture.pcap49)
- -w /tmp/mycapture.pcap : location and name of capture log(s)
100 MB per file x 50 rollover files = 5000 MB total disk space used.
Stop the capture (and example output seen)
Ctrl+c ^C313 packets captured 314 packets received by filter 0 packets dropped by kernel
Reading Pcaps
To read a pcap file that was written with tcpdump using the “-w” option..
tcpdump -qnnnX -r /tmp/mycapture.pcap0
Explanation
- -q : Print less protocol information so output lines are shorter
- -n : Do not convert IP addresses to host names
- -nn : Do not convert protocol and port numbers to names
- -X : Print data in addition to headers. Print in hex and ASCII.
- -r : Read packets from file