Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [tcpdump]

a command line packet analyzer

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

see more @wiki and SO

276 questions
37
votes
6 answers

how to capture and see packet contents with tcpdump

I am trying to HTTP traffic to port 8007 in a file and then view them later. # tcpdump -i eth0 -s0 -n -w /tmp/capture port 8007 & # tcpdump -r /tmp/capture -A | grep '10.2.1.50' I expected to see packet data in ASCII but that does not happen. What…
Dinesh
  • 1,291
20
votes
1 answer

How can I capture all the UDP packets using tcpdump?

I have to capture all the UDP packets sent from host A to any UDP port of host B. The following, if run on host B, doesn't work. $ sudo tcpdump -i eth0 -SX udp src tcpdump: 'udp' modifier applied to host What is the correct command line to…
sherlock
  • 626
17
votes
2 answers

How to gather DNS A record requests?

I need to record all outgoing A records on a RedHat PC. I tried using tcpdump: tcpdumpdns=OUTPUT-FILENAME-HERE nohup tcpdump -K dst port 53 -w $tcpdumpdns > /dev/null 2>&1 & It makes an output file like: 19:26:12.185392 IP 172.16.0.6.57977 >…
LanceBaynes
  • 40,135
  • 97
  • 255
  • 351
11
votes
1 answer

tcpdump time based circular rotation

Despite reading the man page and searching StackExchange and the wider internet, I have failed to figure out a way to make a time based, rotating, limited count, tcpdump. I want for example to have one file per hour, with no more than 24 hours. But…
Slashterix
  • 355
8
votes
2 answers

Why are tcpdump packets being dropped by interface?

I'm using Ubuntu 14.04 via Virtual Box on a Windows 7 host. The NIC is a USB to Ethernet adapter. The man for tcpdump states what can cause "packets dropped by kernel" but it doesn't state what causes "packets dropped by interface". Can anyone shed…
Adi
  • 91
  • 1
  • 1
  • 8
7
votes
1 answer

What does 'TS val' mean in tcpdump's output?

I'm monitoring the network activities between two processes on compute:42967 and controller:5672(controller.amqp). It captured compute.42967 with three SYN(they have the same seq number) while the receiver only ACK the third one. Here is what I…
xywang
  • 389
  • 1
  • 2
  • 12
6
votes
3 answers

Do not display ACK packets

I have the following tcpdump -i eth0 -n tcp port 5000 to filter every packet flowing between 2 hosts. However, one of the hosts always sends an ACK. How do I hide this ACK?
bulkmoustache
  • 679
  • 2
  • 10
  • 22
5
votes
1 answer

How to recover a file from a tcpdump?

I use tcpdump -i wlan0 -s 0 dst 192.168.1.200 or src 192.168.1.200 -w output.pcap to monitor for ex.: my HTTP traffic. I upload a .zip file through HTTP. How can I retrieve the .zip file from the output.pcap file? Is it possible to recover it from…
LanceBaynes
  • 40,135
  • 97
  • 255
  • 351
5
votes
1 answer

Can kernel drop an outgoing packet which has been captured by tcpdump?

When an outgoing packet is captured by tcpdump, will it 100% be sent out, and not be dropped by kernel? Does tcpdump intercept on packet delivering path before or after kernel does any/all filtering work? My question comes from such a case I met: I…
xywang
  • 389
  • 1
  • 2
  • 12
3
votes
1 answer

How do I filter "BOOTP/DHCP, Request" out in tcpdump?

There are a lot of "BOOTP/DHCP, Request" in tcpdump and I would like to filter it out. It's easy to filter arp out. tcpdump -nni eth0 not arp What about BOOTP/DHCP, Request? I've tried the following but it doesn't work $ sudo tcpdump -nni eth0 not…
Wolf
  • 1,631
3
votes
2 answers

What and how length is determined in tcpdump

What my application does is read data from kafka and hit another service via HTTP. I was seeing outgoing traffic slower in one box compare to others. I analysed tcpdump to that outgoing IP, logs from this box: 09:24:20.625288 IP (tos 0x0, ttl 64, id…
Saurabh
  • 113
  • 1
  • 1
  • 10
3
votes
1 answer

tcpdump of SCCP or GSM MAP messages

Right now I'm using tcpdump -i -p -s0 -w /tmp/file.cap and then filter the capture in wireshark. How can I take packet capture with tcpdump only on SCCP or GSM_MAP protocols and drop the sctp heartbeat messages? Any other…
user1977050
  • 409
  • 7
  • 18
2
votes
2 answers

tcpdump takes O(n²) time to parse filter

I run tcpdump with a filter like: not ( (host 1.165.155.169 and port 4444) or (host 1.168.68.116 and port 4444) or (host 1.173.192.253 and port 4444) or (host 1.174.97.43 and port 4444) : or (host 161.138.104.1 and port 58339) ) My…
Ole Tange
  • 35,514
2
votes
1 answer

Is it possible to regenerate a TCP request with the help of tcpdump

I'm developing a backend server and here is how the architecture of the backend looks like: APP --> Server1 --> Server2 --> Server3 --> MyServer APP sends a HTTP request to the Server1, and all of the servers at backend communicate each other with…
Yves
  • 3,291
2
votes
3 answers

tcpdump --- capture packets to a non-rotating file

tcpdump -i eth0 -C 5 -W 1 -w & I use the command above to capture packets to a 5MB pcap file on an Ubuntu machine. Once the pcap file reaches the maximum size (5MB), the file gets rotated and starts again from 0KB. I need to know…
Karthick
  • 71
1
2 3