Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Tcpdump ====== **General Information** Capturing and reading packets with tcpdump. **Checklist** * Distro(s): Any * Package: tcpdump ---- ====== Install Package ====== Install tcpdump <code bash> yum -y install tcpdump </code> ---- ====== Max File Size, Log Rotate Capture ====== This type of capture is intended for collecting packets for an extended period of time and limiting how much disk space is used. \\ Start the capture (and initial output) <code bash> tcpdump port 80 -s 0 -vvv -C 100 -W 50 -w /tmp/mycapture.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes </code> Explanation * port 80 : Capture on port 80 * -s 0 : Capture all packet contents * -vvv : Max verbose logging details * -C 100 : Store up to 100 MBs of data per file * -W 50 : Store 50 rollover files, then start over writing. (mycapture.pcap00 - mycapture.pcap49) * -w /tmp/mycapture.pcap : location and name of capture log(s) 100 MB per file x 50 rollover files = 5000 MB total disk space used. \\ Stop the capture (and example output seen) <code bash> Ctrl+c ^C313 packets captured 314 packets received by filter 0 packets dropped by kernel </code> ---- ====== Reading Pcaps ====== To read a pcap file that was written with tcpdump using the "-w" option.. <code bash> tcpdump -qnnnX -r /tmp/mycapture.pcap0 </code> Explanation * -q : Print less protocol information so output lines are shorter * -n : Do not convert IP addresses to host names * -nn : Do not convert protocol and port numbers to names * -X : Print data in addition to headers. Print in hex and ASCII. * -r : Read packets from file ---- linux_wiki/tcpdump.txt Last modified: 2019/05/25 23:50(external edit)