From charlesreid1

Installing

Linux

tcpdump should come with your distro, but if it doesn't, use aptitude or your package manager to install:

apt-get install tcpdump

Once you've done that, you can list your network devices:

iwconfig

Pick out which ones you want to listen to.

Mac

tcpdump comes with Mac. Man page for tcpdump: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html

List your network devices:

ifconfig

Pick out which ones you want to listen to.


Basic Usage

You may need to run tcpdump as sudo to access certain information from the hardware.

Tcpdump options can vary from platform to platform (e.g. mac vs linux) but this guide will cover some universal usage.

The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured.

The bare minimum you'll have to specify is a network interface. You may want to specify a file, too.

The -i and -w flags

To specify a network device you want to listen to, use the -i flag (for interface). Also specify an output file with the -w flag:

tcpdump -i en0 -w output_file.pcap

-w prevents your computer from having a meltdown trying to print every single packet in a busy place.

You can monitor multiple interfaces by specifying a list: -i en0,en1

If you are using wireless, you'll need to use additional commands to control the channel your wireless card is listening to.


Controlling Output

To control output, you can have tcpdump create a new pcap file every N seconds, or every N megabytes.

G flag

Use the G flag to create a new pcap file every N seconds:

-G [seconds]

If you use the G flag without the C flag (see below), you specify new filenames with strftime date/time format when you pass the filename to the -w flag.

This command makes a new pcap file every 100 seconds:

tcpdump -G 100 -w filename_%H-%M-%S.pcap

C flag

The C flag sets the maximum pcap file size, in millions of bytes. New files will have a common name with an incrementing number at the end. From the man page:

-C

Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

W flag

The W flag will limit the number of output files, so that tcpdump will begin to overwrite the first file once it has finished writing to the Nth file:

-W     Used  in  conjunction  with the -C option, this will limit the
          number of files created to the  specified  number,  and  begin
          overwriting  files from the beginning, thus creating a 'rotat-
          ing' buffer.  In addition, it will name the files with  enough
          leading  0s  to  support the maximum number of files, allowing
          them to sort correctly.

          Used in conjunction with the -G option, this  will  limit  the
          number  of  rotated  dump files that get created, exiting with
          status 0 when reaching the limit. If used with -C as well, the
          behavior will result in cyclical files per timeslice.

Wireless Tcpdump

More instructions on capturing wireless packets with Tcpdump: Tcpdump/Wireless

Tcpdump/Wireless/Linux

Tcpdump/Wireless/Mac

More Flags

Faster Packet Capture

To minimize overhead processing packets and maximize the number of packets captured, you can turn off host name resolution with the -n flag. This also makes things slightly more readable.

tcpdump -I -n -i wlan1 -w output_pcap_file.pcap

Writing Packets To File

If you want to force tcpdump to write every packet to the output file as it is received, rather than waiting until its input buffer is full, you can use the U flag. Note that this will be slower and should only be done when traffic is light - otherwise excessive disk writes will bog things down.

From the man page:

       -U     If the -w option is not specified, make the printed packet output `
              `packet-buffered''; i.e., as the description of the contents of  each  packet  is
              printed, it will be written to the standard output, rather than, when not writing 
              to a terminal, being written only when the output buffer fills.

              If the -w option is specified, make the saved raw packet output 
              ``packet-buffered''; i.e., as each packet is saved, it will be written 
              to the output file, rather than being written only when the output 
              buffer fills.

              The -U flag will not be supported if tcpdump was built with an 
              older version of libpcap that lacks the pcap_dump_flush() function.

Analysis

You can also use tcpdump to analyze a pcap file.

Reading Packets

To read packet data, run tcpdump with the -r flag (for read):

$ tcpdump -r output.pcap

Counting Packets

Not sure if this will work:

$ tcpdump -n -r output.pcap | wc -l 

This will give you a count of the total number of packets in the pcap file.

Parsing Information

You can parse information by column using the cut utility.

$ tcpdump -n -r output.pcap

The output has the fields:

[timestamp] [network protocol] [source IP] . [source port] > [destination IP] . [destination port]


[1]