Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [tcpdump]

a command line packet analyzer

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

see more @wiki and SO

273 questions
58
votes
6 answers

Why would the kernel drop packets?

I interrupted tcpdump with Ctrl+C and got this total summary: 579204 packets captured 579346 packets received by filter 142 packets dropped by kernel What are the "packets dropped by kernel"? Why does that happen?
Raja G
  • 5,749
  • 12
  • 44
  • 67
35
votes
5 answers

How to process/pipe TCPDUMPs output in realtime

If I want to tcpdump DNS requests by clients (on an OpenWrt 10.04 router), then I root@ROUTER:/etc# tcpdump -n -i br-lan dst port 53 2>&1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br-lan,…
LanceBaynes
  • 39,295
  • 97
  • 250
  • 349
34
votes
4 answers

How to trace networking activity of a command?

I want to trace the networking activity of a command, I tried tcpdump and strace without success. For an example, If I am installing a package or using any command that tries to reach some site, I want to view that networking activity (the site it…
Buvanesh Kumar
  • 533
  • 1
  • 5
  • 11
34
votes
6 answers

how to capture and see packet contents with tcpdump

I am trying to HTTP traffic to port 8007 in a file and then view them later. # tcpdump -i eth0 -s0 -n -w /tmp/capture port 8007 & # tcpdump -r /tmp/capture -A | grep '10.2.1.50' I expected to see packet data in ASCII but that does not happen. What…
Dinesh
  • 1,241
  • 4
  • 14
  • 18
20
votes
1 answer

Buffer size for capturing packets in kernel space?

Going through the man page of tcpdump, it seems kernel can drop the packets if the buffer is full. I was wondering if: that size is configurable and/or where can I see the size for my distro? From the man page (for easy reference): packets…
Anon
  • 201
  • 1
  • 2
  • 3
18
votes
1 answer

Creating multicast join for tcpdump captures

I want to write a linux shell script which will capture specific multicast traffic. Specific as in, I want to create a pcap file that has all the traffic for one specific multicast group/port. Here is the command line I am using to view…
John Dibling
  • 2,180
  • 7
  • 22
  • 33
17
votes
1 answer

How can I capture all the UDP packets using tcpdump?

I have to capture all the UDP packets sent from host A to any UDP port of host B. The following, if run on host B, doesn't work. $ sudo tcpdump -i eth0 -SX udp src tcpdump: 'udp' modifier applied to host What is the correct command line to…
sherlock
  • 586
  • 1
  • 6
  • 17
17
votes
2 answers

How to gather DNS A record requests?

I need to record all outgoing A records on a RedHat PC. I tried using tcpdump: tcpdumpdns=OUTPUT-FILENAME-HERE nohup tcpdump -K dst port 53 -w $tcpdumpdns > /dev/null 2>&1 & It makes an output file like: 19:26:12.185392 IP 172.16.0.6.57977 >…
LanceBaynes
  • 39,295
  • 97
  • 250
  • 349
16
votes
2 answers

Ghost NTP server on Debian 8.6

So the university IT security team and I have been going around and around on this with no breaks... anyone have any thoughts on this: I recently set up a small file server for my lab running Debian 8.6 on a dedicated computer (Intel Avoton C2550…
Tim Otchy
  • 163
  • 8
16
votes
1 answer

tcpdump: "packets captured" vs "packets received by filter"

We have a script which calls tcpdump -v src host and port >>out.txt 2>>err.txt -w capture.cap on multiple IP-s while the other parts of the script initiates some traffic in the background. We want check if packets are…
Alex Biro
  • 263
  • 1
  • 2
  • 5
14
votes
2 answers

what is "rfc3442-classless-static-routes" in /etc/dhcp/dhclient.conf

I am trying to debug DHCP on my laptop (I am using dhcping and dhcdump to see what the DHCP server sends back). Following is my /etc/dhcp/dhclient.conf. option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; send host-name =…
Thomas Keller
  • 62
  • 1
  • 3
  • 16
14
votes
2 answers

How does one capture traffic on virtual interfaces?

I would like to capture traffic on Linux virtual interfaces, for debugging purposes. I have been experimenting with veth, tun and dummy interface types; on all three, I am having trouble getting tcpdump to show anything. Here is how I set up the…
solidsnack
  • 395
  • 1
  • 2
  • 11
12
votes
3 answers

Ping and tcpdump at the same time

The situation is this - There is one script on the server which make ping to somewhere and I don't know to where. I want to see to which machine is this ping make and why is returning FAILED. What I make is to turn tcpdump in one terminal and at the…
S.I.
  • 435
  • 3
  • 7
  • 16
12
votes
1 answer

what level of the network stack does tcpdump get its info from?

As I was trying in vain to fix a faulty ethernet controller here, one thing I tried was running tcpdump on the machine. I found it interesting that tcpdump was able to detect that some of the ICMP packets the ping application thought it was sending…
Eric
  • 298
  • 1
  • 2
  • 8
10
votes
1 answer

tcpdump time based circular rotation

Despite reading the man page and searching StackExchange and the wider internet, I have failed to figure out a way to make a time based, rotating, limited count, tcpdump. I want for example to have one file per hour, with no more than 24 hours. But…
Slashterix
  • 345
  • 1
  • 4
  • 10
1
2 3
18 19