tcpdump: Difference between revisions
From Leechfinger
Jump to navigationJump to search
No edit summary |
No edit summary |
||
| (25 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Flags === | === Flags === | ||
{| class="wikitable sortable" | {| class="wikitable sortable" width="100%" | ||
|+ | |||
|+ | |||
|- | |- | ||
! Flag !! Description | ! Flag !! Description | ||
|- | |- | ||
| -D || List all interfaces | | -D || List all interfaces. | ||
|- | |- | ||
| - | | -i || Interface, eth1, any. | ||
|- | |- | ||
| -C || | | -C || Max file size to save, -C100, 100 meg, all files will have subsequent numbers. | ||
|- | |||
| -W || Limit the number of files, -W5, use with -C. | |||
|- | |||
| -w || Output file name. | |||
|- | |||
| -Z || User, -Z root. | |||
|- | |||
| -r || Read the output file. | |||
|- | |||
| -c || Packets captured, -c100. | |||
|- | |||
| -n || Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. | |||
|- | |||
| --version || Version number. | |||
|- | |||
| -v || Verbose, -vvv will create more information. | |||
|} | |} | ||
=== List all interfaces === | === List all interfaces === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# tcpdump -D | # tcpdump -D | ||
</syntaxhighlight> | |||
=== Interface, user, file size, rotation, output file=== | |||
<syntaxhighlight lang="bash"> | |||
# tcpdump -i eth0 -Z root -C300 -W4 -w $HOSTNAME-tcpdump.pcap | |||
# tcpdump -r zyklonB-tcpdump.pcap | |||
</syntaxhighlight> | |||
=== Capture for a port or portrange === | |||
<syntaxhighlight lang="bash"> | |||
# tcpdump -i any -Z root -C1 -W2 -c2 portrange 1-100 -w $HOSTNAME-tcpdump.pcap | |||
# tcpdump -i any -Z root -C1 -W2 -c2 port 443 -w $HOSTNAME-tcpdump.pcap | |||
</syntaxhighlight> | |||
=== Capture for a host === | |||
<syntaxhighlight lang="bash"> | |||
# tcpdump -i any -Z root -C1 -W2 -c2 host whitehouse.gov -w $HOSTNAME-tcpdump.pcap | |||
</syntaxhighlight> | |||
=== Capture for a subnets === | |||
<syntaxhighlight lang="bash"> | |||
# tcpdump -i any -Z root -C1 -W2 -c2 net 192.168.24.0/24 -w $HOSTNAME-tcpdump.pcap | |||
</syntaxhighlight> | |||
=== Hostname and date/time stamp the file === | |||
<syntaxhighlight lang="bash"> | |||
# tcpdump -i any -Z root -C1 -W2 -c2 -w `hostname`-`date +%Y%b%d`-tcpdump.pcap | |||
</syntaxhighlight> | </syntaxhighlight> | ||
[[Category:Commands]] | [[Category:Commands]] | ||
Latest revision as of 17:42, 10 May 2025
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. Many flags need root permissions to run.
Install
# apt install tcpdump
Flags
| Flag | Description |
|---|---|
| -D | List all interfaces. |
| -i | Interface, eth1, any. |
| -C | Max file size to save, -C100, 100 meg, all files will have subsequent numbers. |
| -W | Limit the number of files, -W5, use with -C. |
| -w | Output file name. |
| -Z | User, -Z root. |
| -r | Read the output file. |
| -c | Packets captured, -c100. |
| -n | Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. |
| --version | Version number. |
| -v | Verbose, -vvv will create more information. |
List all interfaces
# tcpdump -D
Interface, user, file size, rotation, output file
# tcpdump -i eth0 -Z root -C300 -W4 -w $HOSTNAME-tcpdump.pcap
# tcpdump -r zyklonB-tcpdump.pcap
Capture for a port or portrange
# tcpdump -i any -Z root -C1 -W2 -c2 portrange 1-100 -w $HOSTNAME-tcpdump.pcap
# tcpdump -i any -Z root -C1 -W2 -c2 port 443 -w $HOSTNAME-tcpdump.pcap
Capture for a host
# tcpdump -i any -Z root -C1 -W2 -c2 host whitehouse.gov -w $HOSTNAME-tcpdump.pcap
Capture for a subnets
# tcpdump -i any -Z root -C1 -W2 -c2 net 192.168.24.0/24 -w $HOSTNAME-tcpdump.pcap
Hostname and date/time stamp the file
# tcpdump -i any -Z root -C1 -W2 -c2 -w `hostname`-`date +%Y%b%d`-tcpdump.pcap
