Packet capturing with tcpdump

tcpdump – A utility that allows you to intercept and analyze network traffic.
You must run it with root rights. In Ubuntu, you can use “sudo” before each command, or you can immediately switch to root user:

sudo -i

Below are examples of running tcpdump.
Running with the indication of the network interface:

tcpdump -i eth0
/usr/sbin/tcpdump -i eth0

Display statistics only for specified addresses or exclude addresses:

tcpdump host ADDRESS
tcpdump host ADDRESS and ADDRESS
tcpdump host ADDRESS or ADDRESS
tcpdump not host ADDRESS
tcpdump ether host e0:cb:4e:c3:7c:44

Specifying the port:

tcpdump port 80

With the type arp/rarp/ip/tcp/udp/icmp/wlan/multicast/broadcast, eg:

tcpdump arp
tcpdump arp and broadcast

Write the result to a file:

tcpdump -w "/home/user/tcpdump/"`date "+%Y-%m-%d-%H-%M"`-http.pcap

Specifying the VLAN:

tcpdump vlan 100

Other examples:

tcpdump -s 1500 -c 30000 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

I’ll describe the possible startup options:
-a Convert network and broadcast addresses to domain names.
-i The interface that will obey.
-c Shutdown after the specified number of packets.
-v, -vv, -vvv Output of more detailed information.
-q Quiet mode, a summary is displayed.
-t Does not display a timestamp in each line.
-tttt Time display with date.
-n Do not allow domain names of hosts.
-nn Displays the port number instead of the protocol it uses.
-N Allow domain names of hosts.
-e Display link-layer data (MAC address, protocol, packet length).
-w Record information in binary format to a file. The file can then be opened through analysis programs, for example Wireshark.
-r The parameter allows you to read traffic from a file.
-s The number of bytes of the packet that tcpdump will handle.
-x Displays packets in a hexadecimal system.

Leave a Reply