Wikipedia: “tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.”
Common uses: “Tcpdump analyzes network behavior, performance and applications that generate or receive network traffic. It can also be used for analyzing the network infrastructure itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.”
A few of the mostly used options:
-i any
: Listen on all interfaces just to see if you’re seeing any traffic.-n
: Don’t resolve hostnames.-nn
: Don’t resolve hostnames or port names.-X
: Show the packet’s contents in both hex and ASCII.-XX
: Same as-X
, but also shows the ethernet header.-v, -vv, -vvv
: Increase the amount of packet information you get back.-c
: Only get x number of packets and then stop.-S
: Print absolute sequence numbers.-e
: Get the ethernet header as well.-q
: Show less protocol information.-E
: Decrypt IPSEC traffic by providing an encryption key.-s
: Set the snaplength, i.e. the amount of data that is being captured in bytes-c
: Only capture x number of packets, e.g. ‘tcpdump -c 3
‘
I’m using my MAC to learn this command, so depending if you are connected wirelessly or by ethernet (direct connect), you will need to put in the correct interface.
View your interfaces.
$ ifconfig
Wireless Interface (depending on your interface number – look for the IP address):
# tcpdump -i en1
# tcpdump -i en2
Ethernet Interface:
# tcpdump -i en0
Basic usage.
# tcpdump -i interface
# tcpdump -nS
# tcpdump -nnvvS
Now lets port this information into a file called DumpFile01.pcap on the Desktop.
# tcpdump -i en0 -w ~/Desktop/DumpFile01.pcap
Reading the file. What’s the difference between .cap and .cap?
# -r ~/Desktop/DumpFile01.pcap
The -nn tells tcpdump not to resolve DNS on IP and Ports, where r is read.
# tcpdump -nnr ~/Desktop/DumpFile01.pcap
Adding -tttt to makes the timestamp appears more readable format.
# tcpdump -ttttnnr ~/Desktop/DumpFile01.pcap
Lets get a tcpdump on port 80.
# tcpdump -w /Users/Tommy/Desktop/dump01.pcap -i en0 port 80
# tcpdump -w /Users/Tommy/Desktop/dump01.pcap -i en0 tcp port 80
# tcpdump -w /Users/Tommy/Desktop/dump01.pcap -i en0 udp port 80
Capture packets based off of the Source and Destination.
# tcpdump src XXX.XXX.XXX.XXX
# tcpdump dst XXX.XXX.XXX.XXX
# tcpdump dst XXX.XXX.XXX.XXX and port XX
Specify a Port range.
# tcpdump tcp portrange XX-XX