Quick Tip: Use tcpdump in Linux to capture network packets and view in wireshark

Important note to remember:
a. capture it in full length, using the -s 0 options
b. save it in a file, better to make the extension as .pcap so wireshark can associate directly

1.Identify which interface you want to listen to

[root@freelinux tmp]# ifconfig 

eth0 Link encap:Ethernet HWaddr 08:00:27:72:24:E6
inet addr: Bcast: Mask:
inet6 addr: fe80::a00:27ff:fe72:24e6/64 Scope:Link
RX packets:942 errors:0 dropped:0 overruns:0 frame:0
TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78095 (76.2 KiB) TX bytes:198882 (194.2 KiB)
Interrupt:10 Base address:0xd020

2. Run “tcpdump” command with the following options. For instance, you want to monitor the DNS packets.Run:

tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53 

[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
2657 packets captured
2938 packets received by filter
0 packets dropped by kernel


# ls -l /tmp
-rw-r--r-- 1 root wheel 1386926 Sep 24 14:39 freelinux.pcap

where as:

-s 0 –> capture byte to its maximum (65535) or it’s full lenght
-ni –> listen on which interface. Then -n option is used so not to convert host addresses to names.
-w –> create the file
port –> to indicate the port number, e.g. 53 which pertains to dns
-X –> Print each packet (minus its link level header) in hex and ASCII
-vvv –> Even more verbose output

Other samples:
[root@freelinux tmp]# tcpdump -ni eth0 -Xvvv -w freelinux.pcap -s 0 portrange 67-68
[root@freelinux tmp]# tcpdump -ni eth1 -s0 -w hostlinux.pcap host &

Note: you can do Ctrl+C to terminate the task, or if run in background, kill the process if finished as it will consume some hard disk space and some CPU resources.

3. Now open the wireshark program. It’s a GUI-based program, so viewing is easier and flexible.


About the author

Free Linux

View all posts


Leave a Reply