Category Archives: Wireshark

tcpdump command

12 Tcpdump Commands – A Network Sniffer Tool

TCPDump Packet Sniffing on Linux Back track 5

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. 

Tcpdump prints the contents of network packets. It can read packets from a network interface card or from a previously created saved packet file. Tcpdump can write packets to standard output or a file.

It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as Telnet or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier) that reads tcpdump pcap format files.

How to Install tcpdump in Linux

Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command.

# yum install tcpdump

Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples.

1. Capture Packets from Specific Interface

The command screen will scroll up until you interrupt and when we execute tcpdumpcommand it will captures from all the interfaces, however with -i switch only capture from desire interface.

# tcpdump -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:33:31.976358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500440357:3500440553, ack 3652628334, win 18760, length 196

11:33:31.976603 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64487, length 0

11:33:31.977243 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28

11:33:31.977359 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46

11:33:31.977367 IP 172.16.25.126.54807 > tecmint.com: 4240+ PTR? 125.25.16.172.in-addr.arpa. (44)

11:33:31.977599 IP tecmint.com > 172.16.25.126.54807: 4240 NXDomain 0/1/0 (121)

11:33:31.977742 IP 172.16.25.126.44519 > tecmint.com: 40988+ PTR? 126.25.16.172.in-addr.arpa. (44)

11:33:32.028747 IP 172.16.20.33.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

11:33:32.112045 IP 172.16.21.153.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

11:33:32.115606 IP 172.16.21.144.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

11:33:32.156576 ARP, Request who-has 172.16.16.37 tell old-oraclehp1.midcorp.mid-day.com, length 46

11:33:32.348738 IP tecmint.com > 172.16.25.126.44519: 40988 NXDomain 0/1/0 (121)

2. Capture Only N Number of Packets

When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But using -c option, you can capture specified number of packets. The below example will only capture 6 packets.

# tcpdump -c 5 -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:40:20.281355 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500447285:3500447481, ack 3652629474, win 18760, length 196

11:40:20.281586 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 65235, length 0

11:40:20.282244 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28

11:40:20.282360 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46

11:40:20.282369 IP 172.16.25.126.53216 > tecmint.com.domain: 49504+ PTR? 125.25.16.172.in-addr.arpa. (44)

11:40:20.332494 IP tecmint.com.netbios-ssn > 172.16.26.17.nimaux: Flags [P.], seq 3058424861:3058424914, ack 693912021, win 64190, length 53 NBT Session Packet: Session Message

6 packets captured

23 packets received by filter

0 packets dropped by kernel

3. Print Captured Packets in ASCII

The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.

# tcpdump -A -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

09:31:31.347508 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3329372346:3329372542, ack 4193416789, win 17688, length 196

M.r0…vUP.E.X…….~.%..>N..oFk………KQ..)Eq.d.,….r^l……m\.oyE….-….g~m..Xy.6..1…..c.O.@…o_..J….i.*…..2f.mQH…Q.c…6….9.v.gb……..;..4.).UiCY]..9..x.)..Z.XF….’|..E……M..u.5…….ul

09:31:31.347760 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64351, length 0

M….vU.r1~P.._……….

^C09:31:31.349560 IP 192.168.0.2.46393 > b.resolvers.Level3.net.domain: 11148+ PTR? 1.0.168.192.in-addr.arpa. (42)

E..F..@.@…………9.5.2.f+…………1.0.168.192.in-addr.arpa…..

 

3 packets captured

11 packets received by filter

0 packets dropped by kernel

4. Display Available Interfaces

To list number of available interfaces on the system, run the following command with -Doption.

# tcpdump -D

 

1.eth0

2.eth1

3.usbmon1 (USB bus number 1)

4.usbmon2 (USB bus number 2)

5.usbmon3 (USB bus number 3)

6.usbmon4 (USB bus number 4)

7.usbmon5 (USB bus number 5)

8.any (Pseudo-device that captures on all interfaces)

9.lo

5. Display Captured Packets in HEX and ASCII

The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.

# tcpdump -XX -i eth0

 

11:51:18.974360 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509235537:3509235733, ack 3652638190, win 18760, length 196

0x0000:  b8ac 6f2e 57b3 0001 6c99 1468 0800 4510  ..o.W…l..h..E.

0x0010:  00ec 8783 4000 4006 275d ac10 197e ac10  ….@.@.’]…~..

0x0020:  197d 0016 1129 d12a af51 d9b6 d5ee 5018  .}…).*.Q….P.

0x0030:  4948 8bfa 0000 0e12 ea4d 22d1 67c0 f123  IH…….M”.g..#

0x0040:  9013 8f68 aa70 29f3 2efc c512 5660 4fe8  …h.p)…..V`O.

0x0050:  590a d631 f939 dd06 e36a 69ed cac2 95b6  Y..1.9…ji…..

0x0060:  f8ba b42a 344b 8e56 a5c4 b3a2 ed82 c3a1  …*4K.V……..

0x0070:  80c8 7980 11ac 9bd7 5b01 18d5 8180 4536  ..y…..[…..E6

0x0080:  30fd 4f6d 4190 f66f 2e24 e877 ed23 8eb0  0.OmA..o.$.w.#..

0x0090:  5a1d f3ec 4be4 e0fb 8553 7c85 17d9 866f  Z…K….S|….o

0x00a0:  c279 0d9c 8f9d 445b 7b01 81eb 1b63 7f12  .y….D[{….c..

0x00b0:  71b3 1357 52c7 cf00 95c6 c9f6 63b1 ca51  q..WR…….c..Q

0x00c0:  0ac6 456e 0620 38e6 10cb 6139 fb2a a756  ..En..8…a9.*.V

0x00d0:  37d6 c5f3 f5f3 d8e8 3316 d14f d7ab fd93  7…….3..O….

0x00e0:  1137 61c1 6a5c b4d1 ddda 380a f782 d983  .7a.j\….8…..

0x00f0:  62ff a5a9 bb39 4f80 668a                 b….9O.f.

11:51:18.974759 IP 172.16.25.126.60952 > mddc-01.midcorp.mid-day.com.domain: 14620+ PTR? 125.25.16.172.in-addr.arpa. (44)

0x0000:  0014 5e67 261d 0001 6c99 1468 0800 4500  ..^g&…l..h..E.

0x0010:  0048 5a83 4000 4011 5e25 ac10 197e ac10  .HZ.@.@.^%…~..

0x0020:  105e ee18 0035 0034 8242 391c 0100 0001  .^…5.4.B9…..

0x0030:  0000 0000 0000 0331 3235 0232 3502 3136  …….125.25.16

0x0040:  0331 3732 0769 6e2d 6164 6472 0461 7270  .172.in-addr.arp

0x0050:  6100 000c 0001                           a…..

6. Capture and Save Packets in a File

As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

# tcpdump -w 0001.pcap -i eth0

 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

4 packets captured

4 packets received by filter

0 packets dropped by kernel

7. Read Captured Packets File

To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.

# tcpdump -r 0001.pcap

 

reading from file 0001.pcap, link-type EN10MB (Ethernet)

09:59:34.839117 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3353041614:3353041746, ack 4193563273, win 18760, length 132

09:59:34.963022 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 132, win 65351, length 0

09:59:36.935309 IP 192.168.0.1.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)

09:59:37.528731 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [P.], seq 1:53, ack 132, win 65351, length 5

8. Capture IP address Packets

To capture packets for a specific interface, run the following command with option -n.

# tcpdump -n -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:07:03.952358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509512873:3509513069, ack 3652639034, win 18760, length 196

12:07:03.952602 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64171, length 0

12:07:03.953311 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308

12:07:03.954288 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164

12:07:03.954502 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 65535, length 0

12:07:03.955298 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276

12:07:03.955425 IP 172.16.23.16.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST

12:07:03.956299 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1236, ack 1, win 18760, length 292

12:07:03.956535 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1236, win 64967, length 0

9. Capture only TCP Packets.

To capture packets based on TCP port, run the following command with option tcp.

# tcpdump -i eth0 tcp

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:10:36.216358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509646029:3509646225, ack 3652640142, win 18760, length 196

12:10:36.216592 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64687, length 0

12:10:36.219069 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308

12:10:36.220039 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164

12:10:36.220260 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 64215, length 0

12:10:36.222045 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276

12:10:36.223036 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1108, ack 1, win 18760, length 164

12:10:36.223252 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1108, win 65535, length 0

^C12:10:36.223461 IP mid-pay.midcorp.mid-day.com.netbios-ssn > 172.16.22.183.recipe: Flags [.], seq 283256512:283256513, ack 550465221, win 65531, length 1[|SMB]

10. Capture Packet from Specific Port

Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.

# tcpdump -i eth0 port 22

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:37:49.056927 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364204694:3364204890, ack 4193655445, win 20904, length 196

10:37:49.196436 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 4294967244:196, ack 1, win 20904, length 248

10:37:49.196615 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64491, length 0

10:37:49.379298 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 196:616, ack 1, win 20904, length 420

10:37:49.381080 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 616:780, ack 1, win 20904, length 164

10:37:49.381322 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 780, win 65535, length 0

11. Capture Packets from source IP

To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows.

# tcpdump -i eth0 src 192.168.0.2

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:49:15.746474 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196

10:49:15.748554 IP 192.168.0.2.56200 > b.resolvers.Level3.net.domain: 11289+ PTR? 1.0.168.192.in-addr.arpa. (42)

10:49:15.912165 IP 192.168.0.2.56234 > b.resolvers.Level3.net.domain: 53106+ PTR? 2.0.168.192.in-addr.arpa. (42)

10:49:16.074720 IP 192.168.0.2.33961 > b.resolvers.Level3.net.domain: 38447+ PTR? 2.2.2.4.in-addr.arpa. (38)

12. Capture Packets from destination IP

To capture packets from destination IP, say you want to capture packets for 50.116.66.139, use the command as follows.

# tcpdump -i eth0 dst 50.116.66.139

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0

10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0

10:55:05.626027 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [.], ack 2, win 245, options [nop,nop,TS val 7959537 ecr 804759787], length 0

This article may help you to explore tcpdump command in depth and also to capture and analysis packets in future.

 

————————————————————

TCPdump is a very powerful command line interface packet sniffer.

It must be launched as root or with superuser rights because of the its use of the promiscuous mode or to be sure to have sufficent privilileges on a network device or a socket. 

Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface. Wireshark can be used to read the logs captured by TCPdump too. 

1. TCPDUMP DOWNLOAD:

 To download TCPdump:

#apt-get install tcpdump

 To see the TCPdump dependencies:

#apt-cache depends tcpdump

tcpdump
Depends: libc6
Depends: libpcap0.8
Depends: libssl0.9.8 

 To see the installed TCPdump version:

#apt-cache policy tcpdump

tcpdump:
Installed: 3.9.4-2ubuntu0.1
Candidate: 3.9.4-2ubuntu0.1
Version table:
*** 3.9.4-2ubuntu0.1 0
500 http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
3.9.4-2 0
500 http://ch.archive.ubuntu.com dapper/main Packages 

 


2. TCPDUMP SYNTAX

Syntax: Protocol Direction Host(s) Value Logical Operations Other expression
Example: tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128

 Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.

 Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the “src or dst” keywords are applied.
For example, “host 10.2.2.2” is equivalent to “src or dst host 10.2.2.2”.

 Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the “host” keyword is used.
For example, “src 10.1.1.1” is equivalent to “src host 10.1.1.1”.

 Logical Operations:
Values: not, and, or.
Negation (“not”) has highest precedence. Alternation (“or”) and concatenation (“and”) have equal precedence and associate left to right.
For example,
“not tcp port 3128 and tcp port 23” is equivalent to “(not tcp port 3128) and tcp port 23”.
“not tcp port 3128 and tcp port 23” is NOT equivalent to “not (tcp port 3128 and tcp port 23)”.

 


3. TCPDUMP USE

 To display the Standard TCPdump output:

#tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1
21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)
21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 

 To display the verbose output:

#tcpdump -v

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 

 Network interfaces available for the capture:

#tcpdump -D

1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo 

 To display numerical addresses rather than symbolic (DNS) addresses:

#tcpdump -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36
22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1
22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11
22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)
22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535 

 To display the quick output:

#tcpdump -q

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 

 Capture the traffic of a particular interface:

tcpdump -i eth0

 To capture the UDP traffic:

#tcpdump udp

 To capture the TCP port 80 traffic:

#tcpdump port http

 To capture the traffic from a filter stored in a file:

#tcpdump -F file_name

To create a file where the filter is configured (here the TCP 80 port)

#vim file_name
port 80

 To stop the capture after 20 packets:

#tcpdump -c 20

To send the capture output in a file instead of directly on the screen:

#tcpdump -w capture.log

 To read a capture file:

#tcpdump -r capture.log

reading from file capture.log, link-type EN10MB (Ethernet)

09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527 <nop,nop,timestamp 90351=”” 151123756=””>
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86 <nop,nop,timestamp 151126015=”” 90351=””>
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86 <nop,nop,timestamp 151126015=”” 90351=””>
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527 <nop,nop,timestamp 90372=”” 151126015=””>

The captured data isn’t stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.

The capture.log file is opened with Wireshark.

 To display the packets having “www.openmaniak.com” as their source or destination address:

#tcpdump host http://www.openmaniak.com

 To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

 

——————————————————————–

See the list of interfaces on which tcpdump can listen:
tcpdump -D

Listen on interface eth0:
tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
tcpdump -i any

Be verbose while capturing packets:
tcpdump -v

Be more verbose while capturing packets:
tcpdump -vv

Be very verbose while capturing packets:
tcpdump -vvv

Be less verbose (than the default) while capturing packets:
tcpdump -q

Limit the capture to 100 packets:
tcpdump -c 100

Record the packet capture to a file called capture.cap:
tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:
tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:
tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets:
tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:
tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
tcpdump -n “dst host 192.168.1.1 and dst port 23”

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
tcpdump -n “dst host 192.168.1.1 and (dst port 80 or dst port 443)”

Capture any ICMP packets:
tcpdump -v icmp

Capture any ARP packets:
tcpdump -v arp

Capture either ICMP or ARP packets:
tcpdump -v “icmp or arp”

Capture any packets that are broadcast or multicast:
tcpdump -n “broadcast or multicast”

Capture 500 bytes of data for each packet rather than the default of 68 bytes:
tcpdump -s 500

Capture all bytes of data within the packet:
tcpdump -s 0

http://www.youtube.com/watch?v=1CaYHeMrCiA

Wireshark…

Wireshark (Packet Sniffer): http://www.wireshark.org