/var/net/sys/admin/blog
| More

Important note to remember:
a. capture it in full length, using the -s 0 options
b. save it in a file, better to make the extension as .pcap so wireshark can associate directly

1.Identify which interface you want to listen to

[root@freelinux tmp]# ifconfig 

eth0 Link encap:Ethernet HWaddr 08:00:27:72:24:E6
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe72:24e6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:942 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78095 (76.2 KiB) TX bytes:198882 (194.2 KiB)
Interrupt:10 Base address:0xd020

2. Run “tcpdump” command with the following options. For instance, you want to monitor the DNS packets.Run:

tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53 

[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2657 packets captured
2938 packets received by filter
0 packets dropped by kernel

Verify:

# ls -l /tmp
-rw-r--r-- 1 root wheel 1386926 Sep 24 14:39 freelinux.pcap

where as:

-s 0 –> capture byte to its maximum (65535) or it’s full lenght
-ni –> listen on which interface. Then -n option is used so not to convert host addresses to names.
-w –> create the file
port –> to indicate the port number, e.g. 53 which pertains to dns
-X –> Print each packet (minus its link level header) in hex and ASCII
-vvv –> Even more verbose output

Other samples:
[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 portrange 67-68
[root@freelinux tmp]# tcpdump -ni eth1 -s0 -w hostlinux.pcap host 8.8.8.8 &

Note: you can do Ctrl+C to terminate the task, or if run in background, kill the process if finished as it will consume some hard disk space and some CPU resources.

3. Now open the wireshark program. It’s a GUI-based program, so viewing is easier and flexible.

Enjoy!

Share

6 Responses to “Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark”

  1. Linux Topics – Tutorials « Zeeshan Ahmad Bhatti

    on December 29 2012

    […] Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark […]

  2. Romain

    on May 14 2013

    I’ll try this. This will be really useful.

    Thx

  3. Φθηνά καράβια

    on August 13 2017

    Very good blog! Do you have any helpful hints for aspiring
    writers? I’m hoping to start my ownn website soon but I’m a ittle lost oon everything.
    Would you recommend starting with a free platform like
    Wordpress orr go for a paid option? There are so many options out there thst I’m completely confused ..
    Any ideas? Kudos!

  4. Πακέτο διακοπών για Ρώμη

    on August 22 2017

    Hello my friend! I want to say that this articlle is
    awesome, nice written and come with almost all significant infos.
    I would like to look extra posts like this .

  5. fthina ferries

    on November 7 2017

    Right here is the perfect site for anyone whho would like to find out
    about this topic. You realize a whole lot its almost hared to atgue with you (not that I personaally would
    want to…HaHa). You definitely put a brand new spin on a subject which has been discussed forr many
    years.Excellent stuff, just wonderful!

  6. Minoan lines

    on November 9 2017

    Do you have any video oof that? I’d caare
    to find out more details.

Comment RSS · TrackBack URI

Leave a comment

Name: (Required)

E-mail: (Required)

Website:

Comment:

 

About FLT

This site is dedicated to everyone who likes to learn and explore the beautiful world of Linux. If you have comments and suggestions, please feel free to email at freelinuxtutorials@gmail.com. I am happy to serve and share things esp. that is free and enjoyable as Linux.