July 12, 2007 Archives

How to dump packets with tcpdump

By Ask Bjørn Hansen on July 12, 2007 12:01 PM | No Comments

I always forget the parameters for this and have to look them up in the man page, so enough of that:

 tcpdump -nnXSs 0 'port 80'

  • "-nn" makes it not lookup hostnames in DNS and service names (in /etc/services) for respectively faster and cleaner output.
  • "-X" makes it print each packet in hex and ascii; that's really the useful bit for tracking headers and such
  • "-S" print absolute rather than relative TCP sequence numbers - If I remember right this is so you can compare tcpdump outputs from multiple users doing this at once
  • "-s 0" by default tcpdump will only capture the beginning of each packet, using 0 here will make it capture the full packets. We are debugging, right?

Instead of "port 80" you can make more complicated rules like "port 80 and host 10.50.33.10".

« July 11, 2007 | Main Index | Archives | July 30, 2007 »

Search

About this Archive

This page is an archive of entries from July 2007 listed from newest to oldest.

July 11, 2007 is the previous archive.

July 30, 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 4.3-en