Linux – tcpdump capture network packets

Posted by

0

tcpdump

tcpdump is a Linux program that can be used to capture network traffic to and from a Linux server and it’s clients.

It is well-docmented and needs no further description. This post just describes a particular, restricted, way of using it to capture packets between a specific client computer and the server, and to send the output to a file which can subsequently be read by the same program.

 

From specific client (a laptop = host 198.168.1.90)
---------------------------------------------------

-- capture the packets:
-i = on interface bond0
host = from client 198.168.1.90
-A = ASCII
-s = capture size 0 (65535 bytes by default)

tcpdump -i bond0 host 198.168.1.90 -A -s0 -w /tmp/rayfox.pcap

-- read pcap file and output to text file
tcpdump -A -r /tmp/rayfox.pcap > /tmp/rayfox.txt

(File can also be read using Wireshark)

To get the date from the pcap file

1
[root@server1 tmp] tcpdump -tttt -qns 0 -A -r server1_capture.pcap

Capture on a Specific Interface

1
2
# Capture on a specific interface (NIC or bond)
tcpdump -vXSs0 -i bond2 -w recv_mcast_java_1_1500.pcap

Read the tcpdump file, pipe to less for more control

1
2
# read the captured file
tcpdump -qns 0 -A -r recv_mcast_java_1_1500.pcap|less

Leave a Reply

Your email address will not be published. Required fields are marked *