Installing

Linux

tcpdump should come with your distro, but if it doesn't, use aptitude or your package manager to install:

apt-get install tcpdump

Once you've done that, you can list your network devices:

iwconfig

Pick out which ones you want to listen to.

Mac

tcpdump comes with Mac. Man page for tcpdump: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html

List your network devices:

ifconfig

Pick out which ones you want to listen to.

Usage

You will need to run tcpdump as sudo.

Unfiltered Packet Capture

The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured.

To do this, specify which device you want to listen to with the -i flag. Also specify an output file with the -w flag:

tcpdump -i en0 -w output_file.pcap

-w prevents your computer from having a meltdown trying to print every single packet in a busy place.

You can also monitor multiple interfaces by specifying a list: -i en0,en1

Wireless Packet Capture

If you want to capture wireless packets, you need to know a bit more about a few things.

First is channels.

The 802.11 protocol allocates 12 channels for wireless (in the US), and your wireless card can only listen to one channel at a time. To listen to twelve channels, you need twelve wireless cards - or you need to hop from channel to channel with your single wireless card.

If it is critical to capture all traffic, you will want to use multiple wireless cards - if you're hopping from channel 5 to channel 6, and traffic shows up on channel 4, you won't see it.

Second is monitor mode. If your wireless card is not in monitor mode, your wireless card will be throwing away any packets that are not intended for itself, meaning you'll only be creating a pcap file of your own traffic.

Monitor Mode in Mac

To put the wireless card into monitor mode, you can use the -I flag with tcpdump.

You can also use the -n flag to make things more readable.

sudo tcpdump -In -i en1 -w save.pcap

More information over at Unix Stack Exhange.

Alternatively, you can use the airport utility, located at:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport.

conveniently symlinked to /usr/local/bin:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

Channel-Hopping on Mac

When you run tcpdump with the -I flag, it will put the card in monitor mode and automatically cycle through all the channels. This will significantly boost the amount of traffic you dump to your pcap file!

Note that you can also use airport to monitor a single channel, e.g., channel 7:

sudo airport en1 sniff 7

Monitor Mode in Linux

Put your card into monitor mode with these steps:

iwconfig # list all devices
ifconfig wlan1 down # assuming wlan1 is wireless
iwconfig wlan1 mode monitor # put into monitor mode
ifconfig wlan1 up # bring wlan1 online

Channel-Hopping on Linux

Once you've put the card into monitor mode, you can run airodump-ng, which will automatically channel-hop unless you specify a specific channel. Once airodump is channel-hopping, you can run tcpdump.

Alternatively, you can set airodump to listen on a single channel.

Setting Channel from Shell Script

Another way to set the channel of the wireless card uses iwconfig, which means you can control the channel from a shell script:

iwconfig en1 channel 3

You can also use iwlist to view available channels and see the current channel of the wireless card:

root@kali:~# iwlist frequency
wlan0     14 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Channel 14 : 2.484 GHz
lo        no frequency information.

eth0      no frequency information.

Faster Packet Capture

To minimize overhead processing packets and maximize the number of packets captured, you can turn off host name resolution with the -n flag. This also makes things slightly more readable.

tcpdump -I -n -i wlan1 -w output_pcap_file.pcap

Further, if you're running tcpdump for a long period of time, you can use the -G flag to create a new .pcap file every N seconds (e.g., 3600 seconds or 1 file hourly)

tcpdump -G 3600 -I -n -i wlan1 -w output_pcap_file_%H.pcap

Link with more info:

http://stackoverflow.com/questions/16084699/scapy-how-to-get-the-statistics

Analysis

You can also use tcpdump to analyze a pcap file.

Counting Packets

$ tcpdump -nn -r output.pcap | wc -l 

This will give you a count of the total number of packets in the pcap file.

Parsing Information

You can parse information by column using the cut utility.

$ tcpdump -n -r output.pcap

The output has the fields:

[timestamp] [network protocol] [source IP] . [source port] > [destination IP] . [destination port]

[1]

Networking pages and notes about computer networks. Category:Networking Wired Networks: Man in the Middle attack vectors on wired networks: Man in the Middle/Wired Packet analysis with Wireshark: Wireshark Packet Analysis Linux networking: Linux/Networking Wireless Networks: Using Aircrack: Aircrack Many Ways to Crack a Wifi: Cracking Wifi Linux Networking Linux/Networking  · Linux/SSH  · Linux/File Server Virtual Networks: Notes on OpenVPN: OpenVPN Setting Up a Static Key VPN: OpenVPN/Static Key Settings, Services, and Protocols: Domain Name Servers: DNS  · Linux/DNS IP Version 6: IPv6 Tools: Wireshark  · SSH  · Stunnel  · Tor  · Ettercap  · Aircrack  · Tcpdump Tunnels: Tunnels  · HTTP and HTTPS  · SSH Tunnels  · Linux/SSH Flags  · Template:NetworkingFlag  · e