Tcpdump Information

Tcpdump is a command-line packet capture tool normally found within Unix/Linux operating systems.  A Windows port can be found http://www.winpcap.org/windump/.  Below are some common command switches for tcpdump.

-D = list available interfaces

-i = listen on the selected interface

-r = read the input file specified

-n = do not perform DNS resolution

-c = give a count of the number of records to process

-x = display data in hexadecimal

-e = display the MAC/Ethernet address information

-vv = verbose output

-X = display the ASCII payload of records

-w = write the data to a file

-q = quiet or quick output (less data)

‘tcp’ ‘ip’ ‘udp’ ‘icmp’ = macro filters for protocols

‘port’ = port filter

‘src port’ ‘dst port’ = source port and destination port filters

‘src host’ ‘dst host’ = source host and destination host filters

Below is an example of displaying the the available interfaces on an Ubuntu operating system, and then capturing traffic on one interface.

The example below reads a file called TEST, disables DNS and port resolution, and only display TCP traffic.

The example below reads a file called TEST, disables DNS and port resolution, and only display traffic using the port 23.

The command below continues the example but uses a filter to only include ICMP traffic and only where the destination host had the IP address of 192.0.2.1.

The example below uses a filter to include data with a source host of 192.0.2.1 or a destination port value of 23.

The verbose option will return additional details concerning the packets.