tcpdump is a CLI tool for capturing and displaying packets sent and received by network devices.
Questions tagged [tcpdump]
471 questions
15
votes
2 answers
TCPDUMP - Capturing Packets on Multiple IP Address (FIlter)
What I need to do (via 'tcpdump' through Linux):
• ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. - This is what I want to capture on (filtered on these exact IPs). Not an IP range (subnet) or an individual IP address, just several…
Derek
- 183
13
votes
1 answer
tcpdump How do I use it to capture all traffic headers
I'm quite new to tcpdump. I've never used it except for very trivial tasks.
Recently, I was asked to complete the following job.
What I have: A server with a network interface connected to a switch. All traffic on that switch would be mirrored to…
Haozhun
- 267
12
votes
1 answer
How to specify both IP address and port in tcpdump?
I want to specify a source IP address, destination IP address and source port in my tcpdump filter. However, I keep getting syntax errors. How do I do that?
user3207874
- 429
11
votes
2 answers
tcpdump filter that excludes private ip traffic
For a generic filter to exclude all traffic in my dump that is between private IP address, I came up with the following:
sudo tcpdump -n '
(not
(
(src net 172.16.0.0/20 or src net 10.0.0.0/8 or src net 192.168.0.0/16)
and
…
Kyle Brandt
- 84,369
7
votes
3 answers
tcpdump - how to check rate of packets?
I'm using this script that actually checks for the rate of incoming packets and it gets triggered if the rate hits 5mbps or more. The packets are then logged to a tcpdump file.
interface=eth0
dumpdir=/tmp/
while /bin/true; do
pkt_old=`grep…
Asad Moeen
- 437
7
votes
1 answer
tcpdump shows traffic until I use a filter
I have a server that is receiving traffic from a mirror port on a switch. The interface that is connected to this mirror port is in promisc mode. When I use just a plain catch all tcpdump on the interface, like
tcpdump -nn -i eth1
I see a ton of…
MichaelB
- 541
7
votes
5 answers
How to Break Up Large tcpdump Files
Is there something that can break up tcpdump file after the captuure and make sure the breaks are on the border of packet data?
Like -C but after the fact.
Kyle Brandt
- 84,369
5
votes
2 answers
Tcpdump maximum split file size
I refer to this thread : how to split a pcap file into a set of smaller ones
I have tried to use the command tcpdump -r old_file -w new_files -C 4096 and tcpdump returns tcpdump: invalid file size 4096
So far I have tested until 2048 (x1,000,000…
CheeHow
- 161
- 1
- 5
4
votes
1 answer
tcpdump only showing output after stopping it
I am trying to see if I get ping packets through one interface but tcpdump shows nothing. However, as soon as I stop it (Ctrl + C), all the packets appear and the summary looks good.
For example:
11:49:45.486887 IP 11.0.0.1 > 11.0.0.9: ICMP echo…
mosquetero
- 299
4
votes
1 answer
tcpdump failed withi permission denied on centos when using with rotated file option
When I use tcpdump on centos 6, I got a permission denied error even when I was root. My command is like this:
sudo tcpdump -i eth0 -G 10 -w test.dmp port 80
i have tried with -Z root or -Z my_username but no luck
sudo tcpdump -i eth0 -Z root -G 10…
Sean Nguyen
- 143
3
votes
0 answers
how to use tcpdump on interface with link down
A set of daemon applications communicating over UDP broadcasts on the same machine give me trouble capturing their traffic. The network interface is eth0, it's configured to a static IP and there's no cable plugged in, so the link is down:
# ip addr…
LeSpocky
- 131
3
votes
3 answers
Filtering GRE enacpsulated packets with tcpdump
I can ask tcpdump to show me GRE encapsulated packets quite simply with tcpdump -ni any proto gre:
15:02:57.209082 IP 10.14.0.3 > 10.14.0.2: GREv0, key=0x1, length 106: IP 10.10.10.11 > 10.10.10.1: ICMP echo request, id 21073, seq 2784, length…
DazWorrall
- 131
3
votes
2 answers
tcpdump filtering out specific ips and specific ports with that ip
I want to filter out several specific ips and ports with tcpdump.
example 192.168.1.100 port 1111
192.168.1.101 port 3333
I know tcpdump -i ens192 not dst host 192.168.1.100 and dst port 1111 work for the one ip.
tcpdump -i ens192 not dst…
user923097
- 31
3
votes
4 answers
tcpdump, how to capture actual data only?
For example I have a server listening on port 8001, a client programe open a tcp socket connect to that port, send some binary data, I want to capture the actual data only without any TCP/IP header such as tcp handshake stuff..
Is that possible with…
WestFarmer
- 151
2
votes
1 answer
Can I use tcpdump to analyze binary data - gRPC, http2, MessagePack, etc?
Life is simple with text-encoded formats like JSON. I can see enough text in the dump to figure out where something can be wrong. But with the growing popularity of binary interchange formats, I think tcpdump no longer makes the cut. Am I right to…
hummingV
- 141