Tcpdump

From NSMWiki
Revision as of 13:09, 30 January 2007 by Ppcx (Talk | contribs) (added a usage example)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Background

Usage

 user@machine:~% tcpdump -h
 tcpdump version 3.9.1
 libpcap version 0.9.1
 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
               [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ] [ -y datalinktype ] [ -Z user ]
               [ expression ]

Example

You can use tcpdump to read the pcap files the log_packets.sh process gathers. To look for all packets in a file from a certain host:

 tcpdump -r ./snort.log.blah host ipaddrtofind

Various tcpdump related links

Alternate Information

802.1Q VLAN support

  • tcpdump supports VLAN-tagged encapsulated traffic via BPF as long as your libpcap has support compiled in.
  • To use it, the command line is as such:
 user@machine:~% tcpdump [options] vlan [tag#] and [other filters]
  • For example:
 user@machine:~% tcpdump -n -s0 -i fxp0 -w out.cap vlan 104 and host 111.222.333.444