By running this command with some default options, you can get aanalyze the packets being transmitted over the network. The packets can be captured in realtime, or to a dump file, which can be later analyzed. What I have found more useful, is to first capture it to an a dump file.
For example, I have a web based application running on port 8080, that I want to inspect to see what is going on, so I issue the following command:
sudo tcpdump -i eth0 -s 0 -nw output.dmp dst port 8080
The argument basically say, in their order:
interface: eth0
snarf: 0 bytes, rather than the default 68 - less information to go through - For me, I am only really interested in the headers
no address/name resolution - maintain their IP address value
write: to output.dmp
dst port: only capture packets going to port 8080; More complex filters can be captured, and documentation on the filter syntax can be viewed in the man page of pcap-filter
This produces a binary file, so it is no good trying to read this in a simple text editor, however you can output the contents by passing in the -r flag (read)
sudo tcpdump -r output.dmp -A
I prefer to use the A flag (ASCII), but you could also use the -X flag. I think the -A flag produces slightly more readable request headers. In saying that, the X flag would be useful for viewing the data in both hex and ASCII format.
Another useful tool (which you need to install) is tcpick, which can also parse the data dumps captured by tcpdump.
sudo tcpick -C -yP -r output.dmp
Which is basically saying, print with syntax highlighting, and to show data contained in the packets. No doubt, this does output the data nicely formatted, but other than that, I see no real reason not just to use tcpdump with the -A flag for viewing the captured packets.
No comments:
Post a Comment