Linux: tcpdump
2015-01-01
tcpdump is a good tool to capture network traffic.
Just start tcpdump and you see the packages, but you might want to filter it and write it to a file and look at it later on.
Here are some common options you might find useful:
network interface
tcpdump -i eth0
specify the interface you want to use (“tcpdump -D” gives you a list)
capture specific traffic
tcpdump port 80 tcpdump portrange 22-23 tcpdump not port 22 tcpdump '(tcp port 80) or (tcp port 443)' tcpdump src host trinitor.de tcpdump src net 192.168.1.0/24 tcpdump dst port 21 tcpdump host 192.168.1.1 tcpdump icmp tcpdump ip6
write to file
tcpdump -w output.dmp
Create a file and put in the first 96 bytes from every package. You can open it with wireshark.
write complete packages
tcpdump -s 0 -w output.dmp
Stores all the package data in the output.dmp
stop detecting host names
tcpdump -n
detecting hostnames would create DNS queries to get the name. This can slows down the packet interception and if no DNS server is working we might see timeout issues.
tcpdump -nn
stops detecting hostnames and port names
show sequence numbers
tcpdump -S
shows absolute sequence numbers instead of relative numbers.
get Ethernet headers
tcpdump -i wlan0 -e -s 0 -w output.dmp
The -e captures as well the ethernet headers.