tcpdump command
The tcpdump utility is a command line packet
sniffer with many features and options. For a full description, refer to the
tcpdump man pages by typing the following command:
man tcpdump
Running the tcpdump utility
Following are examples of commands used to run
the tcpdump utility:
Selecting an Interface or VLAN
The tcpdump utility’s interface or -i option
accepts only one option. This option may be a numbered interface or a named
Virtual Local Area Network (VLAN).
To view traffic, use the -i flag as follows:
tcpdump -i
For example:
To view the traffic on a single specific
interface:
tcpdump -i 2.1
To view the traffic on a specific VLAN called
internal:
tcpdump -i internal
To view the traffic on the management
interface:
tcpdump -i eth0
To view the traffic on all interfaces:
tcpdump -i 0.0
Disabling name resolution
By default, tcpdump attempts to look up IP
addresses and use names, rather than numbers, in the output. The BIG-IP system
must wait for a response from the DNS server, so the lookups can be time
consuming and the output may be confusing.
To disable name resolution, use the -n flag as
in the following examples:
tcpdump -n
tcpdump -ni internal
Saving tcpdump output to a file
You can save the tcpdump data to one of the
following file formats:
·
A binary file that contains all the information collected by the
tcpdump and is readable by the tcpdump utility as well as many other traffic
analysis packages such as wireshark
·
A text file that contains a subset of the full tcpdump data, but
is readable only as plain text.
Binary file
To save the tcpdump output to a binary file,
type the following command:
tcpdump -w
For example:
tcpdump -w dump1.bin
Note: The tcpdump utility does not print data
to the screen while it is capturing to a file. To stop the capture, press
CTRL-C.
Text file
To save the tcpdump output to a text file,
type the following command:
tcpdump >
For example:
tcpdump > dump1.txt
Filters
The tcpdump utility allows you to use filters
to, among other things, restrict the output to specified addresses, ports, and
tcp flags.
Filtering on a host address
·
To view all packets that are traveling to or from a specific IP
address, type the following command:
tcpdump host
For example:
tcpdump host 10.90.100.1
·
To view all packets that are traveling from a specific IP
address, type the following command:
tcpdump src host
For example:
tcpdump src host 10.90.100.1
·
To view all packets that are traveling to a particular IP
address, type the following command:
tcpdump dst host
For example:
tcpdump dst host 10.90.100.1
Filtering on a port
To view all packets that are traveling through
the BIG-IP system and are either sourced from or destined to a specific port,
type the following command:
tcpdump port
For example:
tcpdump port 80
To view all packets that are traveling through
the BIG-IP system and sourced from a specific port, type the following command:
tcpdump src port
For example:
tcpdump src port 80
To view all packets that are traveling through
the BIG-IP system and destined to a specific port, type the following command:
tcpdump dst port
For example:
tcpdump dst port 80
Filtering on a tcp flag
·
To view all packets that are traveling through the BIG-IP system
that contain the SYN flag, type the following command:
tcpdump ‘tcp[tcpflags]
& (tcp-syn) != 0’
·
To view all packets that are traveling through the BIG-IP system
that contain the RST flag, type the following command:
tcpdump ‘tcp[tcpflags]
& (tcp-rst) != 0’
Combining filters with the ‘and’ operator
You can use the and operator to filter for a
mixture of output.
Following are some examples of useful
combinations:
tcpdump host 10.90.100.1 and port 80
tcpdump src host 172.16.101.20 and dst port 80
tcpdump src host 172.16.101.20 and dst host
10.90.100.1
Capturing packet data
The tcpdump utility provides an option that
allows you to specify the amount of each packet to capture.
You can use the -s (snarf/snaplen) option to
specify the amount of each packet to capture. To capture the entire packet, use
a value of 0 (zero).
For example:
tcpdump -s0 src host 172.16.101.20 and dst port
80
Alternatively, you can specify a length large
enough to capture the packet data you need to examine.
For example:
tcpdump -s200 src host 172.16.101.20 and dst port
80
Suppressing hostname and port resolution
The tcpdump utility provides an option that
allows you to specify whether IP addresses and service ports are translated to
their corresponding hostnames and service names.
Since performing multiple name lookups during
a packet capture may be resource intensive, you should disable name resolution
while capturing on a busy system using the -n option.
For example:
tcpdump -n src host 172.16.101.20 and dst port 80
Service port lookups incur less overhead than
DNS-based name resolutions, but still are usually unnecessary while performing
a capture. You can disable both name and service port resolution while
performing a capture, by using the -nn option.
For example:
tcpdump -nn src host 172.16.101.20 and dst port
80
Combining tcpdump options
This article contains the most essential
tcpdump options. You will generally need to use most of the options in
combination.
Following are examples of how to combine the
tcpdump options to provide the most meaningful output:
tcpdump -ni internal -w
dump1.bin
tcpdump -n -r dump1.bin host
10.90.100.1
tcpdump -ni 2.1 host
10.90.100.1 and port 80
tcpdump -ni 1.10 src host
172.16.101.20 and dst port 80 >dump1.txt
tcpdump -Xs200 -nni eth0 -w
/var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162