-i eth1 : Specify the interface -c 10 : Limit capture to 10 packets -s : Snap length, how many bytes of the frame to capture -v, -vv, -vvv : Level of verbosity -n : Don't resolve host names -nn : Don't resolve host names or port names -S : Display absolute sequence numbers -e : Display the Ethernet header -q : Display less protocol information -E : Decrypt IPSEC traffic using the supplied key -X : Display the packet payload in both hex and ASCII -XX : Same as -X, but includes the ethernet header
Basic decoded information:
[email protected]:~# tcpdump -nnvvS
Full Ethernet frame using a full snaplen -s 1514:
[email protected]:~# tcpdump -ennvvSXqs 1514 port 53
Capture to a file with -w:
[email protected]:~# tcpdump -s 1514 port 53 -w capture_file
Grouping requires parenthesis:
[email protected]:~# tcpdump ’dst 126.96.36.199 and (dst port 80 or 53)’
Dump each packet in ASCII using -A, or in HEX and ASCII using -XX
tcpdump -nqtA -s 1514 port 5060
Capture using -n to print packet IP addresses, and not resolve the hostnames
tcpdump -n -i eth0
One of the most important lessons I’ve learnt using tcpdump is that the interface ‘lo’ is virtual. Packets sent to the localhost interface are not treated in the same way as packets sent to non-localhost interfaces such as eth0 by the kernel. That said, tcpdump will helpfully display such packets as if they were normal.
The lesson is that packet injection to localhost will fail, but tcpdump will make it look as if it is not failing. Instead, injecting packets onto the localhost interface is best achieved using raw sockets.
See seclists.org for more information.