Packet capture is one of the most fundamental and powerful ways to do network analysis.
If you think that tcpdump has been made obsolete by GUI tools like Wireshark, think again. Wireshark is a great application; it’s just not the right tool for the job in every situation.
tcpdump uses a “one-off-command” approach that lends itself to quick, on-the-spot answers. You can run it through an SSH session, doesn’t need X and is more likely to be there when you need it. And, because tcpdump uses standard command-line conventions (such as writing to STDOUT, which can be redirected), tcpdump can be used in all sorts of creative, interesting and extremely useful ways.
You can even use tcpdump and Wireshark together by capturing the network data with tcpdump for viewing with Wireshark. To ensure that you capture complete packets, use the following command:
tcpdump -i <interface> -s 65535 -w <some-file>
tcpdump fu article introduces some of the basics of packet capture and provide a breakdown of tcpdump syntax and usage. Manual page of tcpdump lists you all the command line options you can use.
If you are embedded Linux system developer, remember that you can easily fit the tcpdump program inside a small embedded Linux system without too much problem (which is not the case with Wireshark, because it is a huge program that needs GUI and has many dependencies).
9 Comments
Here says:
How do you find such depth when blogging? i seem to get lost half way through my post and then end up with a useless article.
Tomi Engdahl says:
tcpdump: Capturing with tcpdump for viewing with Wireshark
http://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html
To ensure that you capture complete packets, use the following command:
tcpdump -i -s 65535 -w
Why this format?
the default tcpdump parameters result in a capture file where each packet is truncated, because most versions of tcpdump, will, by default, only capture the first 68 or 96 bytes of each packet.
likert's four says:
It’s actually a cool and helpful piece of information. I am satisfied that you shared this helpful info with us. Please stay us up to date like this. Thank you for sharing.
Tomi Engdahl says:
Packet Analyzer: 15 TCPDUMP Command Examples
http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/
Wallpapers says:
Nice respond in return of this question with genuine arguments and dezcribing all on the topic of that.
Tomi Engdahl says:
A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
https://github.com/countercept/doublepulsar-c2-traffic-decryptor
https://github.com/countercept/doublepulsar-c2-traffic-decryptor/blob/master/decrypt_doublepulsar_traffic.py
Tomi Engdahl says:
ESP to Wireshark
http://hackaday.com/2017/07/06/esp-to-wireshark/
Everyone’s favorite packet sniffing tool, Wireshark, has been around for almost two decades now. It’s one of the most popular network analysis tools available, partially due to it being free and open source. Its popularity guaranteed that it would eventually be paired with the ESP32/8266, the rising star of the wireless hardware world, and [spacehuhn] has finally brought these two tools together to sniff WiFi packets.
The library that [spacehuhn] created uses the ESP chip to save Pcap files (the default Wireshark filetype) onto an SD card or send the data over a serial connection. The program runs once every 30 seconds, creating a new Pcap file each time.
A library for creating and sending .pcap files for Wireshark and other programms.
https://github.com/spacehuhn/ArduinoPcap
Create and send .pcap files using ESP8266/ESP32 and Arduino.
Tomi Engdahl says:
https://danielmiessler.com/study/tcpdump/
Tomi Engdahl says:
https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/