Question & Answer
Question
Explain the use of tcpdump commands.
Answer
Problem
Explain the use of tcpdump commands.
Solution
tcpdump -niDEVICE -s0 -w dumpfile filterString
where:
- DEVICE is the sniffer or capture NIC's device name use the ifconfig command to see list of NIC device names.
- dumpfile is the name of the file the dump is written to.
- filterString is the IP/port expression you wish to capture.
tcpdump -ni bge0 |more
tcpdump -ni bge1 |more
Look for specific traffic:
tcpdump -ni bge0 host <IP address> and port <IP port number> |more
where
- <IP address> and <IP port number> might be 10.10.10.2 and 80 for example.
Manual method of using tcpdump to capture HTTP(S) traffic to dump file:
tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port \(80 or 443\)
tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port '('80 or 443')'
tcpdump -ni bge0 -s0 -w dumpfile net xxx.xxx.xxx.0/24 and port 80
Using existing tcpdump file to extract specific traffic to another dump file:
tcpdump -nr dumpfile -s0 -w newfile host ipAddr and port #nmbr
If tcpdump is unable to filter any traffic where running tcpdump does show traffic unfiltered then the problem is due to an additional Ethernet header being added typically a VLAN header 802.1Q VLAN. Use the tcpdump -e option to see this extra header information which should appear as:
???? ... ethertype 802.1Q length 64: vlan 128 p 0 ethertype IPv4 IP 192.168.128.42.8001 > 192.168.128.90.20700:
Trying to filter using tcpdump fails.? An example is to filter on a known port number such as tcpdump -ni eth2 port 8001.?
If tcpdump is unable to provide a filtered output then the capture system is not able to do so either.? If it is VLAN type traffic use the vlan expression operator as part of the filter expression:
tcpdump -ni eth2 vlan and port 8001
Other examples of filtering with VLAN packets:
tcpdump -nr tst.dmp 'ether[12:2] = 0x8100'
tcpdump -nr tst.dmp vlan and ip and port 8001
Show both types of traffic:
tcpdump -nr tst.dmp ip or vlan
Was this topic helpful?
Document Information
Modified date:
08 December 2018
UID
ibm10777385