Tcpdump

From NSMWiki

Contents 1 Background 2 Usage 3 Example 4 Various tcpdump related links 5 Alternate Information 5.1 802.1Q VLAN support

Background

• Official Site: http://www.tcpdump.org/
• Wikipedia Article: http://en.wikipedia.org/wiki/Tcpdump
• 'tcpdump' is a very versatile network capture / debugging tool able to run on most platforms.

Usage

 user@machine:~% tcpdump -h
 tcpdump version 3.9.1
 libpcap version 0.9.1
 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
               [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ] [ -y datalinktype ] [ -Z user ]
               [ expression ]

Example

You can use tcpdump to read the pcap files the log_packets.sh process gathers. To look for all packets in a file from a certain host:

 tcpdump -r ./snort.log.blah host ipaddrtofind

Various tcpdump related links

• TCPDUMP-workers archive
• NOTES ABOUT TCPDUMP FILTERS

Alternate Information

802.1Q VLAN support

• tcpdump supports VLAN-tagged encapsulated traffic via BPF as long as your libpcap has support compiled in.
• To use it, the command line is as such:

 user@machine:~% tcpdump [options] vlan [tag#] and [other filters]

• For example:

 user@machine:~% tcpdump -n -s0 -i fxp0 -w out.cap vlan 104 and host 111.222.333.444