Saturday, August 12, 2017

Using Tcpdump to dump and read network traffic

Another Quick FYI tip.

There are many network analyzer/reader utilities available on both Linux and Windows platform. There is of-course Wireshark, the most preferred GUI network protocol analyzer, but I prefer tcpdump as it is very easy to use.

Lets get started with some examples then. Say if you want to capture all multicast data (from all interfaces), to a file, you run:

$> tcpdump -n "multicast" -vvv -w VideoStreamData.pcap
where:

  • -w flag writes the captured traffic to the filepath specified. 
  • -n flag avoid DNS look ups to convert host addresses to names. 


Or if you want to capture any packets with a specific destination IP say 172.68.1.1 and destination port 80 or 8080.

$> tcpdump -n "dst host 172.68.1.1 and (dst port 80 or dst port 8080)"
After you have captured network data in a pcap file with the tcpdump command, you can read the data packets in ASCII character sets with the command:

$> tcpdump  -A -r httpServerLogonMessages.pcap 
It comes in handy for reading http/web page traffic.

Or if you want to read the messages both HEX and ASCII along with header data.

$> tcpdump  -x -r MessengerCommunication_11July.pcap 
This comes in handy when you want to convert between different host and network byte order (or the other way round).

Read more about Big Endian to Little Endian conversion and vice-versa here

No comments:

Using Tcpdump to dump and read network traffic

Another Quick FYI tip. There are many network analyzer/reader utilities available on both Linux and Windows platform. There is of-course ...