tcpdump TCP/IP packet sniffer

Sometimes you need a powerful sniffer on your system. Every Mac and every Linux system got it. You just have to use it.

tcpdump

The only thing you have to know, are a few flags.

  • -i en0 : Listen on this interface.
  • -n : Don’t resolve hostnames.
  • -nn : Don’t resolve hostnames or port names.
  • -X : Show the contents in both hex and ASCII.
  • -XX : Same as -X, but also shows the ethernet header.
  • -v, -vv, -vvv : Increase the amount of packet information you get back.
  • -c : Get n packets and then stop.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.
  • -s : Set the snaplength, i.e. the amount of data that is being captured in bytes

Example:

If you just want to see some traffic on the interface:

tcpdump -ni en0

If you want get a lot of information:

tcpdump -i en0 -nnvvvXSs 1514

Of course there are some other options. You can record the traffic into a file, read it from a file.

tcpdump -i en1 -n -w file.pcap/pre>

This file you can now open directly with Wireshark, which greatly simplifies analysis of the output.

You can also set filters on the command line to get only specific packets.

tcpdump -i en1 -nnvvS tcp and src 10.0.5.1 and dst port 5222

The filter criteria for tcpdump are the same as for all other libpcap based software. More details in this paper: <pcap filter expression> gleich.

Close Menu