tcpdump: Difference between revisions

Latest revision as of 17:42, 10 May 2025

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. Many flags need root permissions to run.

Install

# apt install tcpdump

Flags


Flag	Description
-D	List all interfaces.
-i	Interface, eth1, any.
-C	Max file size to save, -C100, 100 meg, all files will have subsequent numbers.
-W	Limit the number of files, -W5, use with -C.
-w	Output file name.
-Z	User, -Z root.
-r	Read the output file.
-c	Packets captured, -c100.
-n	Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
--version	Version number.
-v	Verbose, -vvv will create more information.

List all interfaces

# tcpdump -D

Interface, user, file size, rotation, output file

# tcpdump -i eth0 -Z root -C300 -W4 -w $HOSTNAME-tcpdump.pcap
# tcpdump -r zyklonB-tcpdump.pcap

Capture for a port or portrange

# tcpdump -i any -Z root -C1 -W2 -c2 portrange 1-100 -w $HOSTNAME-tcpdump.pcap
# tcpdump -i any -Z root -C1 -W2 -c2 port 443 -w $HOSTNAME-tcpdump.pcap

Capture for a host

# tcpdump -i any -Z root -C1 -W2 -c2 host whitehouse.gov -w $HOSTNAME-tcpdump.pcap

Capture for a subnets

# tcpdump -i any -Z root -C1 -W2 -c2 net 192.168.24.0/24 -w $HOSTNAME-tcpdump.pcap

Hostname and date/time stamp the file

# tcpdump -i any -Z root -C1 -W2 -c2 -w `hostname`-`date +%Y%b%d`-tcpdump.pcap

@@ Line 1: / Line 1: @@
-Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.
+Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. Many flags need root permissions to run.
+=== Install ===
+<syntaxhighlight lang="bash">
+# apt install tcpdump
+</syntaxhighlight>
 === Flags ===
-{| class="wikitable sortable"
+{| class="wikitable sortable" width="100%"
-|+ tcpdump flags
+|+
 |-
 ! Flag !! Description
 |-
-| -W || Example
+| -D || List all interfaces.
 |-
-| -C || Example
+| -i || Interface, eth1, any.
+|-
+| -C || Max file size to save, -C100, 100 meg, all files will have subsequent numbers.
+|-
+| -W || Limit the number of files, -W5, use with -C.
+|-
+| -w || Output file name.
+|-
+| -Z || User, -Z root.
+|-
+| -r || Read the output file.
+|-
+| -c || Packets captured, -c100.
+|-
+| -n || Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
+|-
+| --version || Version number.
+|-
+| -v || Verbose, -vvv will create more information.
 |}
+=== List all interfaces ===
+<syntaxhighlight lang="bash">
+# tcpdump -D
+</syntaxhighlight>
+=== Interface, user, file size, rotation, output file===
+<syntaxhighlight lang="bash">
+# tcpdump -i eth0 -Z root -C300 -W4 -w $HOSTNAME-tcpdump.pcap
+# tcpdump -r zyklonB-tcpdump.pcap
+</syntaxhighlight>
+=== Capture for a port or portrange ===
+<syntaxhighlight lang="bash">
+# tcpdump -i any -Z root -C1 -W2 -c2 portrange 1-100 -w $HOSTNAME-tcpdump.pcap
+# tcpdump -i any -Z root -C1 -W2 -c2 port 443 -w $HOSTNAME-tcpdump.pcap
+</syntaxhighlight>
+=== Capture for a host ===
+<syntaxhighlight lang="bash">
+# tcpdump -i any -Z root -C1 -W2 -c2 host whitehouse.gov -w $HOSTNAME-tcpdump.pcap
+</syntaxhighlight>
+=== Capture for a subnets ===
+<syntaxhighlight lang="bash">
+# tcpdump -i any -Z root -C1 -W2 -c2 net 192.168.24.0/24 -w $HOSTNAME-tcpdump.pcap
+</syntaxhighlight>
+=== Hostname and date/time stamp the file ===
+<syntaxhighlight lang="bash">
+# tcpdump -i any -Z root -C1 -W2 -c2 -w `hostname`-`date +%Y%b%d`-tcpdump.pcap
+</syntaxhighlight>
 [[Category:Commands]]

tcpdump: Difference between revisions

Latest revision as of 17:42, 10 May 2025

Contents

Install

Flags

List all interfaces

Interface, user, file size, rotation, output file

Capture for a port or portrange

Capture for a host

Capture for a subnets

Hostname and date/time stamp the file

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Categories

Tools