- Official Site: http://www.tcpdump.org/
- Wikipedia Article: http://en.wikipedia.org/wiki/Tcpdump
- 'tcpdump' is a very versatile network capture / debugging tool able to run on most platforms.
user@machine:~% tcpdump -h tcpdump version 3.9.1 libpcap version 0.9.1 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ expression ]
You can use tcpdump to read the pcap files the log_packets.sh process gathers. To look for all packets in a file from a certain host:
tcpdump -r ./snort.log.blah host ipaddrtofind
802.1Q VLAN support
- tcpdump supports VLAN-tagged encapsulated traffic via BPF as long as your libpcap has support compiled in.
- To use it, the command line is as such:
user@machine:~% tcpdump [options] vlan [tag#] and [other filters]
- For example:
user@machine:~% tcpdump -n -s0 -i fxp0 -w out.cap vlan 104 and host 111.222.333.444