/var/net/sys/admin/blog
| More

Important note to remember:
a. capture it in full length, using the -s 0 options
b. save it in a file, better to make the extension as .pcap so wireshark can associate directly

1.Identify which interface you want to listen to

[root@freelinux tmp]# ifconfig 

eth0 Link encap:Ethernet HWaddr 08:00:27:72:24:E6
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe72:24e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:942 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78095 (76.2 KiB) TX bytes:198882 (194.2 KiB)
Interrupt:10 Base address:0xd020

2. Run “tcpdump” command with the following options. For instance, you want to monitor the DNS packets.Run:

tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53 

[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2657 packets captured
2938 packets received by filter
0 packets dropped by kernel

Verify:

# ls -l /tmp
-rw-r--r-- 1 root wheel 1386926 Sep 24 14:39 freelinux.pcap

where as:

-s 0 –> capture byte to its maximum (65535) or it’s full lenght
-ni –> listen on which interface. Then -n option is used so not to convert host addresses to names.
-w –> create the file
port –> to indicate the port number, e.g. 53 which pertains to dns
-X –> Print each packet (minus its link level header) in hex and ASCII
-vvv –> Even more verbose output

Other samples:
[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 portrange 67-68
[root@freelinux tmp]# tcpdump -ni eth1 -s0 -w hostlinux.pcap host 8.8.8.8 &

Note: you can do Ctrl+C to terminate the task, or if run in background, kill the process if finished as it will consume some hard disk space and some CPU resources.

3. Now open the wireshark program. It’s a GUI-based program, so viewing is easier and flexible.

Enjoy!

Share

2 Responses to “Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark”

  1. Linux Topics – Tutorials « Zeeshan Ahmad Bhatti

    on December 29 2012

    […] Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark […]

  2. Romain

    on May 14 2013

    I’ll try this. This will be really useful.

    Thx

Comment RSS · TrackBack URI

Leave a comment

Name: (Required)

E-mail: (Required)

Website:

Comment:

 

About FLT

This site is dedicated to everyone who likes to learn and explore the beautiful world of Linux. If you have comments and suggestions, please feel free to email at freelinuxtutorials@gmail.com. I am happy to serve and share things esp. that is free and enjoyable as Linux.