How to use tcpdump to do a packet capture

book

Article ID: 160514

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Enforce Data Loss Prevention Network Protect

Issue/Introduction

How to use tcpdump to perform a packet capture on a Linux system.

Resolution

To use tcpdump to make a packet capture you need the following:

  1. Which interface (eth1, eth2, etc) to capture traffic from.
  2. A userid that can access the interface (usually root).
  3. A temporary directory to store the packet captures (usually /tmp)

As the userid with access to the device (root), cd to the temporary directory and make a sub directory.

# cd /tmp
# mkdir pc
# cd pc

To make a one minute capture of eth1 start the capture with the following command:

# tcpdump -n -nn -N -s 0 -i eth1 -w eth1.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

After one minute has elapsed, type control-c to end the capture.  You should see something like the following.

5 packets captured
5 packets received by filter
0 packets dropped by kernel
#

The file eth1.pcap is the packet capture.

As an alternative, you can run the following command line as user root which will stop automatically after 60 seconds.

# mkdir –p /tmp/cd ; tcpdump -n -nn -N -s 0 -i eth1 -w /tmp/cd/eth1.pcap & pid=$! ; sleep 60 ; kill -1 $pid

The command options are fully explained in the man page.  The options above are:

-n - do not attempt to lookup IP addresses into domain names

-nn - do not convert protocol and port numbers to names

-N - do not attempt to qualify host names

-s 0 - capture the entire packet

-i - the interface to use

-w - write raw data into the file

 

 

NOTE: If TCPDUMP is used w/o the correct switches, packets will be truncated.  The  "-s 0" captures the entire packet.

 

Result of not using -s 0 option = "Packet size limited during capture" and HTTP truncated

 

 

 

Attachments