Tcpdump

From NSMWiki
Jump to: navigation, search

Background

Usage

 user@machine:~% tcpdump -h
 tcpdump version 3.9.1
 libpcap version 0.9.1
 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
               [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ] [ -y datalinktype ] [ -Z user ]
               [ expression ]

Example

You can use tcpdump to read the pcap files the log_packets.sh process gathers. To look for all packets in a file from a certain host:

 tcpdump -r ./snort.log.blah host ipaddrtofind

Various tcpdump related links

Alternate Information

802.1Q VLAN support

  • tcpdump supports VLAN-tagged encapsulated traffic via BPF as long as your libpcap has support compiled in.
  • To use it, the command line is as such:
 user@machine:~% tcpdump [options] vlan [tag#] and [other filters]
  • For example:
 user@machine:~% tcpdump -n -s0 -i fxp0 -w out.cap vlan 104 and host 111.222.333.444