Quick Network Analysis With tcpdump

You see that light blinking like crazy on the switch, and want to see what it is that your systems is doing? If you are on a (u|li)n[i|u]x or bsd of some sort pick up a copy of tcpdump. If you are on OS X it is already included.

While tcpdump can do a great many amazing and magical things, I am just going to focus on a quick one to get a look at what is coming across your wire. The first thing to be aware of is that you are going to need to have root access to the box in order to take advantage of these things.


    sudo tcpdump -s0 -A -v

The sudo portion lets you run the command as a superuser. The -s0 portion tells tcpdmp to capture packets of any size. By default tcpdump will not completely capture longer packets. the -A tells tcpdump to output the capture as ASCII text so you can read some of the content of the packet. The -v tells tcpdump to be verbose in its output. This gives you things like the time to live, identification, total length and options as well as verifying the IP and ICMP header checksum. In order to stop your dump, use ctrl-c.

This is a great place to start with tcpdmp, but there are a few more common options you can take advantage of. By adding -w <filename> you can write output to a file. Then you can use tcpdump with whatever options you like to read the file with -r <filename>. For example,


    sudo tcpdump -s0 -w mydump.dmp

would write the output to a file called “mydump.dmp”. You could then use


    sudo tcpdump -s0 -A -v -r mydump.dmp

to view the contents of that file. You could also open that file in a packet analysis tool like Wireshark (ethereal). Writing to a file is good when you are capturing a lot of packets, because tcpdump is capable of capturing more traffic when writing to a file.

Another thing you might want to do is limit the scope of what you are capturing. You can use host to specify the hostname or address you want to capture, or net to limit based on a network range.


    sudo tcpdump -s0 -A -v host mycomputer.com

or


    sudo tcpdump -s0 -A -v net 192.168.1.0/24

You can get very granular in selecting what traffic you capture. You can get more detail on what can be done from the man page for tcpdump, which also has some additional examples.

This should get you started on looking at your network traffic, you might just be surprised at what you find. tcpdump is a very versatile tool the more you play with it the more you find.

Advertisements

3 Responses to Quick Network Analysis With tcpdump

  1. Adam says:

    hi there, i really got a great idea from these rich informations. I actually wanna know more about the process of getting the data and entering them into a particular simulator which is Opnet simulator. Is there a way to feed the Opnet with data gathered using the tcpdump so that to simulate the built -in profile object that is provided in the Opnet simulator (the profile provides the flow information of a network component (nodes or applications)) so that the Opnet make use of the valuable data collected by tcpdump..? with my regards..

  2. […] of googling to figure out what useful tool to collect the packet informations.I found this site https://scrutin.wordpress.com/2007/04…-with-tcpdump/witch i made great use of to recognize the tcpdum tool. I also have a network simulator on windows […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: