How to dump packets with tcpdump

| No Comments

I always forget the parameters for this and have to look them up in the man page, so enough of that:

 tcpdump -nnXSs 0 'port 80'

  • "-nn" makes it not lookup hostnames in DNS and service names (in /etc/services) for respectively faster and cleaner output.
  • "-X" makes it print each packet in hex and ascii; that's really the useful bit for tracking headers and such
  • "-S" print absolute rather than relative TCP sequence numbers - If I remember right this is so you can compare tcpdump outputs from multiple users doing this at once
  • "-s 0" by default tcpdump will only capture the beginning of each packet, using 0 here will make it capture the full packets. We are debugging, right?

Instead of "port 80" you can make more complicated rules like "port 80 and host 10.50.33.10".

Leave a comment

About this Entry

This page contains a single entry by Ask Bjørn Hansen published on July 12, 2007 12:01 PM.

Find recent content on the main index or look in the archives to find all content.

Pages

OpenID accepted here Learn more about OpenID
Powered by Movable Type 4.33-en
/* bf */