Tcpdump Information

Tcpdump is a command-line packet capture tool normally found within Unix/Linux operating systems.  A Windows port can be found http://www.winpcap.org/windump/.  Below are some common command switches for tcpdump.

-D = list available interfaces

-i = listen on the selected interface

-r = read the input file specified

-n = do not perform DNS resolution

-c = give a count of the number of records to process

-x = display data in hexadecimal

-e = display the MAC/Ethernet address information

-vv = verbose output

-X = display the ASCII payload of records

-w = write the data to a file

-q = quiet or quick output (less data)

‘tcp’ ‘ip’ ‘udp’ ‘icmp’ = macro filters for protocols

‘port’ = port filter

‘src port’ ‘dst port’ = source port and destination port filters

‘src host’ ‘dst host’ = source host and destination host filters

Below is an example of displaying the the available interfaces on an Ubuntu operating system, and then capturing traffic on one interface.

tcpdump_1

The example below reads a file called TEST, disables DNS and port resolution, and only display TCP traffic.

tcpdump_2

The example below reads a file called TEST, disables DNS and port resolution, and only display traffic using the port 23.

tcpdump_3

The command below continues the example but uses a filter to only include ICMP traffic and only where the destination host had the IP address of 192.0.2.1.

tcpdump_4

The example below uses a filter to include data with a source host of 192.0.2.1 or a destination port value of 23.

tcpdump_5

The verbose option will return additional details concerning the packets.

tcpdump_6