Network - tcpdump
About
tcpdump 1) is :
- a command-line packet analyzer
- and libpcap, a portable C/C++ library for network traffic capture (sniffer).
It prints out a description of the contents of packets on a network interface that match a boolean expression
Example
Rotate
- Max 10 file of 100 Mb
tcpdump -C 104.8576 -W 10 -i eth0 -s 0 -w /tmp/tcpdump.infa -Z userName 'host hostname and port 1433' &
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Sniff email
tcpdump -w /file/name -s 0 'host example.com and port 25'
Stop it with Ctrl-C when done.
Management
Write
tcpdump can always be interrupted by:
- a SIGINT signal
- or a SIGTERM signal (typically generated with the kill(1) command)
It will by default run for ever.
Options:
- -w flag to save the output to a packet file
- -c to specify the number of packet to capture and stop
tcpdump has a log rotate functionality built-in.
Rotate Options:
- -C file_size is the max file size in millions of bytes (1,000,000 bytes)
- -G rotate_seconds
- -W limit the number of files created to the specified number
- -z postrotate-command - will make tcpdump run postrotate-command file
The first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward.
Read
- the -r flag read from a saved packet file rather than to read packets from a network interface.
- -V flag read a list of saved packet files.
Expression
For the expression syntax, see pcap-filter%287%29
Privileges
Reading packets from a network interface may require that you have special privileges
Output
- a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight.
- a description
Analyze
See Tcptrace to analyze a tcp dump file