tcpdump should come with your distro, but if it doesn't, use aptitude or your package manager to install:
apt-get install tcpdump
Once you've done that, you can list your network devices:
Pick out which ones you want to listen to.
tcpdump comes with Mac. Man page for tcpdump: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html
List your network devices:
Pick out which ones you want to listen to.
You may need to run tcpdump as sudo to access certain information from the hardware.
Tcpdump options can vary from platform to platform (e.g. mac vs linux) but this guide will cover some universal usage.
The simplest way to use tcpdump is to do an unfiltered packet capture - no filters on packets, so everything is captured.
The bare minimum you'll have to specify is a network interface. You may want to specify a file, too.
The -i and -w flags
To specify a network device you want to listen to, use the
-i flag (for interface). Also specify an output file with the
tcpdump -i en0 -w output_file.pcap
-w prevents your computer from having a meltdown trying to print every single packet in a busy place.
You can monitor multiple interfaces by specifying a list:
If you are using wireless, you'll need to use additional commands to control the channel your wireless card is listening to.
To control output, you can have tcpdump create a new pcap file every N seconds, or every N megabytes.
Use the G flag to create a new pcap file every N seconds:
If you use the G flag without the C flag (see below), you specify new filenames with strftime date/time format when you pass the filename to the -w flag.
This command makes a new pcap file every 100 seconds:
tcpdump -G 100 -w filename_%H-%M-%S.pcap
The C flag sets the maximum pcap file size, in millions of bytes. New files will have a common name with an incrementing number at the end. From the man page:
-C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
The W flag will limit the number of output files, so that tcpdump will begin to overwrite the first file once it has finished writing to the Nth file:
-W Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotat- ing' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly. Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used with -C as well, the behavior will result in cyclical files per timeslice.
More instructions on capturing wireless packets with Tcpdump: Tcpdump/Wireless
Faster Packet Capture
To minimize overhead processing packets and maximize the number of packets captured, you can turn off host name resolution with the
-n flag. This also makes things slightly more readable.
tcpdump -I -n -i wlan1 -w output_pcap_file.pcap
Writing Packets To File
If you want to force tcpdump to write every packet to the output file as it is received, rather than waiting until its input buffer is full, you can use the U flag. Note that this will be slower and should only be done when traffic is light - otherwise excessive disk writes will bog things down.
From the man page:
-U If the -w option is not specified, make the printed packet output ` `packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when the output buffer fills. If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills. The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.
You can also use tcpdump to analyze a pcap file.
To read packet data, run tcpdump with the
-r flag (for read):
$ tcpdump -r output.pcap
Not sure if this will work:
$ tcpdump -n -r output.pcap | wc -l
This will give you a count of the total number of packets in the pcap file.
You can parse information by column using the cut utility.
$ tcpdump -n -r output.pcap
The output has the fields:
[timestamp] [network protocol] [source IP] . [source port] > [destination IP] . [destination port]
Networkingpages and notes about computer networks.
Man in the Middle attack vectors on wired networks: Man in the Middle/Wired
Packet analysis with Wireshark: Packet Analysis
Linux networking: Linux/Networking
Using Aircrack: Aircrack
Many Ways to Crack a Wifi: Cracking Wifi
Notes on OpenVPN: OpenVPN
Setting Up a Static Key VPN: OpenVPN/Static Key
IP Version 6: IPv6
Flags · Template:NetworkingFlag · e