commandline packet analyzer
tcpdump is a software to analyze packets and is used via the commandline. It runs natively in most *nix operating systems.
Questions tagged [tcpdump]
200 questions
6
votes
5 answers
Practical Tcpdump examples?
I want to collect tcpdump examples, as many as possible!
E.g.: how to filter FTP passwords on eth0; OR how to filter HTTP 404 errors, etc.
LanceBaynes
- 4,090
6
votes
1 answer
How do I make tcpdump to write to file for each packet it captures?
I'm running the following version of tcpdump:
tcpdump version 4.0.0
libpcap version 1.0.0
I want to make tcpdump write to a file for each packet it captures. Currently, I could only see the captured packets if I quit tcpdump.
tcpdump -i em1 -w…
sudurais
- 257
4
votes
1 answer
understanding the tcp header
The first 16 bits in a tcp header, (rfc793), are for the source port, right? The next 16 are for the destination port. When I run tcpdump -xx I can recognise MAC addresses of boxes on my system. Does this mean that the "ports" are MAC addresses?
jayeola
- 41
2
votes
1 answer
tcpdump to capture time, URL and post data
I need to capture both the post data and the time the request was made. I want to use it to replay requests on the lab server.
When I run the following command:
tcpdump -i any -s 0 -A '(tcp dst port 8100) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] =…
supmethods
- 164
2
votes
2 answers
Report tcpdump progress?
I run tcpdump as follows:
$ sudo tcpdump -i eth0 -w dump.pcap host 1.2.3.4
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Is there a way to see how many packets it has captured so far? Apparently BSD allows for a…
Roger Lipscombe
- 2,303
2
votes
0 answers
how to capture a certain http code responce with tcpdump
I want to capture http errors on openwrt.
ngrep utility would be very useful but is not available there also tshark is not available also.
so it leaves me with tcpdump.
how do I tell tcpdump to capture just the connection that resulted in a http…
rezad
- 61
1
vote
1 answer
Detect HTTP sessions using tcpdump
I have a tracefile and I want to find all web servers that were successfully visited in the trace, contacted via HTTP.
I'm using:
tcpdump -r file.trace - tcp port 80
Maybe I have to search for a list of server IP that send response packets to me (I…
1
vote
0 answers
latency measurement on Linux-based router using tcpdump
I am using tcpdump to measure latency on a linux router, i.e. the delay experienced by packets as they pass through the router (made of Ubuntu 10). For this purpose, I captured packets in the IN and Out interfaces and subtracted their log timestamp…
ved
- 11
- 2
1
vote
0 answers
WiFi stops working when I run tcpdump on wlp2s0
Very strange thing is happening to me, as soon as I run a simple:
$ sudo tcpdump -c 10 -i wlp2s0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type EN10MB (Ethernet), capture size…
Will1v
- 11
1
vote
1 answer
How do I read output from tcpdump as quickly as it prints it to the terminal?
When running tcpdump on the command line, packets appear in realtime as they are received. However, when tcpdump is piped into anything, it resorts to buffered output. The -l and -U options are provided to allow configuration of this. However, I…
anderspitman
- 143
- 6
1
vote
1 answer
How to select syn packets going to given destination port with tcpdump
I'm trying to capture syn packets going to a given destination port with tcpdump with the following command :
tcpdump dst port 80 "(tcp-syn) !=0"
but it says
tcp: syntax error
Any idea how to select those two filters ?
ChiseledAbs
- 995
1
vote
2 answers
tcpdump is not capturing packets
Can anybody tell me what kind of error I have in this? It isn't reading any packets when I run it.
nohup sudo tcpdump -i any host 10.0.1.107 and port 5060 and port 6060 -G 010 -W 015 -w capture_%Y-%m-%d_%H:%M:%S.pcap -z gzip nohup.out…
Matt
- 15
0
votes
1 answer
What are these expressions' meanings? ip[2:2] ,ip[0], tcp[12], ip[16]
I am learning tcpdump recently, but I have some troubles now.
I have already search them in google and there is nothing can help me solve my problem. If you know the answer, please help me. Thank you very much.
I want to know the expressions'…
0
votes
0 answers
How to see real destination IP using tcpdump?
I'm a newbie with tcpdump.
My setup is simple:
1 machine A behind a router B
1 machine C outside, on the Internet
On machine A, I ping machine C, and I want to track what's happening with tcpdump:
tcpdump on machine A shows an ICMP packet from IP…
xtof54
- 103
- 1
- 4
0
votes
1 answer
tcpdump does not recognize or operator
I want to capture packets that are either a PPPoE Discovery or Session packet.
Does tcpdump support combining protocols with or? The manpage seems to say so, but it does not seem to work on Raspbian Wheezy with tcpdump 4.6.2 and libpcap 1.6.2.
Then…
icehawk
- 235