The tcpdump command provides the feature to save the packets which are captured for later analysis. It is also known as packet analyzer which is supported in almost all UNIX operating system. There are various software’s for display the saved files, but tcpdump commands serves the same purpose, so there is no need to install separate software.
Capture packets from a particular Ethernet interface using tcpdump -i
The default mode of tcpdump command is to collect all the packets flowing through all the interfaces. The -i option provides a facility specify the Ethernet interface.
$ tcdump -i eth0
Capture only N number of packets using tcpdump -c
The option -c allows the tcpdump command to run a particular number of time. Otherwise the tcpdump command will run infinite times until it is canceled.
$ tcpdump -c 5 -i eth0
Display Captured Packets in ASCII using tcpdump -A
For displaying the packets in the ASCII.
$ tcpdump -A -i eth0
Display Captured Packets in HEX and ASCII using tcpdump -XX
The tcpdump command provides a feature for displaying analyzed packets in both ASCII and HEX format.
$tcpdump -XX -i eth0
Capture the packets and write into a file using tcpdump -w
The packets can be saved to a file and can be used for future reference with the help of tcpdump command.
$ tcpdump -w 08232010.pcap -i eth0
This is to be noted that the file extension must be .pcap so that any network protocol can read the file. The -w option allows to write the file.
Reading the packets from a saved file using tcpdump -r
The .pcap file can be loaded and can be displayed for future references with the help of -r option.
$tcpdump -tttt -r data.pcap
Capture packets with IP address using tcpdump -n
To capture and display the packets with IP address of the machines available can be achieved by
$ tcpdump -n -i eth0
Read packets longer than N bytes
A conditional filtering system of packets is a feature available with tcpdump command
$ tcpdump -w g_956.pcap greater 956
Receive only the packets of a specific protocol type
Another filtering of packets can be specified with reference to the protocol such as fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, and udp.
$ tcpdump -i eth0 tcp
Read packets lesser than N bytes
tcpdump also provides the facility to filter out with packets lesser than n number of bytes. This is achieved with the help of ‘less’ option.
$ tcpdump -w l_1024.pcap less 1024
Receive packets flows on a particular port using tcpdump port
Tracing of packets received by a specific port on a machine can be done by the tcpdump command
$ tcpdump -i eth0 port 22
If you need any further assistance please contact our support department.