A tcpdump tutorial and primer

by danielrm26 on 2/28/2014, 4:19 PM with 30 comments
  • by tptacek on 2/28/2014, 6:12 PM

    I. Love. Tcpdump. Once in a blue moon I'll boot up Wireshark, but it's pretty rare that there's a protocol question I need to answer that I can't answer faster with tcpdump -A.

  • by suprjami on 2/28/2014, 10:49 PM

    I guess it depends what you are trying to do. As someone who uses packet captures almost every day to solve other people's problems, all I want to see is an unfiltered binary capture file on the right interface, which I'll then go thru with tshark or Wireshark.

    I think learning to build effective display filters in those tools is more useful than learning to use a capture tool in complex ways.

    This can apply to troubleshooting your own problems too, as you can then inspect things in your own time and gather evidence to present later, and even use a capture file to replay traffic.

  • by jweir on 2/28/2014, 8:05 PM

    If you want to program with tcpdump check out its libary, pcap.

    http://www.tcpdump.org/pcap.html

    Lately I have been playing with a Go interface to it, https://github.com/miekg/pcap

    Great tool, and lots of fun.

  • by Thaxll on 2/28/2014, 6:56 PM

    To send tcpdump output to your local Wireshark:

    ssh -c arcfour root@myserver tcpdump -nn -U -s0 -w - 'not port 22' | wireshark -k -i -

  • by irickt on 2/28/2014, 5:06 PM
  • by lightblade on 2/28/2014, 7:02 PM

    Awesome! I always wanted a command-line alternative to wireshark. I learned about tcpdump about a year ago, but the amount of options is a little off putting. I'm glad this guide came along.

  • by gwu78 on 3/1/2014, 7:22 PM

    Correct me if I'm wrong, but hasn't tcpdump had several buffer overflows in the past?

    Personally I prefer multilog + pflogd + some other tool to examine the pcap file.

    My old favorite is nc-data -d. The entire program fits on one page.

    od or xxd -c1 |cut -d: -f2 will work too.

    ngrep is fussy about interface types but I use that too.

    Filters for nc-data output can be written in lex, sed, awk, lua, whatever.

    I've even experimented with snobol4 and spitbol on packets since the output format of nc-data is so simple.

  • by danielweber on 2/28/2014, 7:40 PM

    Who else remembers when tcpdump kept on refusing to put a "see raw packet" option because you might use it to steal passwords?

    Those were the days. Now all I can complain about is that you need root permissions on OpenBSD merely to read a capture file.

  • by joeblau on 3/1/2014, 2:30 AM

    This is a great tool for getting free wi-fi if you know what you're doing and can change your MAC address.

  • by bananas on 2/28/2014, 8:55 PM

    Just what I needed. Been writing an SSDP stack with the aid of wireshark and it's been painful. I'm on OSX so it's been a case of frigging around with XQuartz as much as anything else. tcpdump is just pleasure and power compared to wireshark.

  • by anth1y on 2/28/2014, 7:01 PM

    I use this tutorial all the time when I'm trying to debug MTA issues.

  • by purple_horse on 3/2/2014, 2:59 AM

    One of my favs:

    tcpdump -i int -n -w - -l -s 1500 | strings

  • by jacksoncage on 2/28/2014, 6:40 PM

    tcpdump for the win!