Stack Overflow
Stack Overflow

Questions tagged [tcpdump]

tcpdump is a common packet analyzer that runs under the command line, utilizing BPF (Berkeley Packet Filter) language

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. tcpdump relies on the underlying libpcap packet capture library.

1045 questions
9
votes
2 answers

How to escape a systemd Specifier to pass to the command in ExecStart

I've written the following systemd service tcpdumpd.service to kick off a persistent tcpdump recording. [Unit] Description=TCPDumpd After=multi-user.target network.target [Service] Type=simple ExecStart=/usr/sbin/tcpdump -pni eth0 -s65535 -G 3600…
Ben Sooter
  • 317
  • 1
  • 3
  • 11
9
votes
3 answers

In tools like tcpdump, when exactly are the network packets captured?

One of the tools I am using uses encryption/decryption to send out data over the network. I am modifying the tool and I need to be sure that the data is actually being sent in an encrypted form. Are Wireshark and tcpdump the right tools for the…
Moeb
  • 10,527
  • 31
  • 84
  • 110
9
votes
3 answers

Use Tshark to view json data

When I use tshark to decode capfile like this tshark -V -r test.cap -Y 'http>0' I got ... JavaScript Object Notation: application/json Object Member Key: "ret" Number value: 99 Member Key: "message" …
Tony
  • 243
  • 2
  • 5
  • 9
9
votes
2 answers

How to see outgoing ESP packets in tcpdump before they get encrypted

I have a setup having Ipsec Tunnel between two end systems. When I capture packets on outgoing interface e.g eth0 I can only see encrypted ESP packets going out of my system. I have to go and look at the receiving end to see what was actually…
user3336687
  • 91
  • 1
  • 1
  • 2
9
votes
3 answers

tcpdump to only print urls

Is there a way to do tcpdump -i lo -A and have it print all urls, any connections made? I have done: sudo tcpdump -i lo -A | grep Host: which works great. But I was wondering if there are options to do the same in tcpdump Finally, is there a way…
Cripto
  • 3,581
  • 7
  • 41
  • 65
8
votes
3 answers

Stripping payload from a tcpdump?

Is there an automated way (either in tcpdump or via a helper app Out There) to generate a pcap file that contains only Ethernet, IP and Layer 4 (TCP in my case) headers, so that there is no payload/application data in the resulting pcap? I've found…
caw
  • 421
  • 1
  • 3
  • 11
8
votes
2 answers

tcpdump vs tcpflow (or "why isn't tcpdump ASCII packet data human readable?")

I have used both, and I conclude that I can read html data from webpages with tcpflow but cannot do so with tcpdump. The best I get is some ugly ASCII text with lots of period symbols. My understanding is that tcpdump doesn't reassemble packets,…
Sridhar Sarnobat
  • 25,183
  • 12
  • 93
  • 106
8
votes
4 answers

Extract unique IPs from live tcpdump capture

I am using the following command to output IPs from live tcpdump capture sudo tcpdump -nn -q ip -l | awk '{print $3; fflush(stdout)}' >> ips.txt I get the following output 192.168.0.100.50771 192.168.0.100.50770 192.168.0.100.50759 Need 2…
Carlos
  • 135
  • 1
  • 1
  • 8
8
votes
3 answers

curl shows no output in tcpdump

I'm attempting to diagnose a network issue with tcpdump. I run the command tcpdump -i eth0 -nS host nameless.host.io When I issue either traceroute or ping commands to hit nameless.host.io I see information from tcpdump but when I use curl to…
Paul Joireman
  • 2,689
  • 5
  • 25
  • 33
8
votes
1 answer

How to display all data using tcpdump?

I am capturing network traffic by using tcpdump. The problem is: I can't see all capture data when the package is too long. For example, when the tcp frame length is more than 500, I just see 100-200 or less. How to display all frame data(500+)? I…
Dolphin
  • 29,069
  • 61
  • 260
  • 539
8
votes
2 answers

wireshark and tcpdump -r: strange tcp window sizes

I'm capturing http traffic with tcpdump and am interested in TCP slow start and how window sizes increase: $ sudo tcpdump -i eth1 -w wget++.tcpdump tcp and port 80 When I view the dump file with Wireshark the progression of window sizes looks…
Robert S. Barnes
  • 39,711
  • 30
  • 131
  • 179
8
votes
1 answer

Is there any way to put Android WIFI (droid handset) into promiscuous monitoring mode?

For a Computer Science Information Warfare class a few years ago I wrote a python script that ran on libpcap promiscuous packet capture files to parse out facebook chat traffic (earlang tuples passed in clear text), and thought an interesting…
Hortinstein
  • 2,667
  • 1
  • 22
  • 22
8
votes
4 answers

tcpdump: Output only source and destination addresses

Problem description: I want to print only the source and destination address from a tcpdump[1]. Have one working solution, but believe it could be improved a lot. An example that captures 5 packets, just as an example of what I'm looking…
Eigir
  • 1,969
  • 2
  • 14
  • 19
8
votes
1 answer

how wireshark marks some packets as "tcp segment of a reassembled pdu"

I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not able to find any header field or anything else by…
mezda
  • 3,537
  • 6
  • 30
  • 37
8
votes
3 answers

Why would TCP packets consistently fail to arrive at the server when the client happily sent them?

I've got a simple client server set up where it seems like TCP packets I'm sending from the client are not arriving at the server. Normally everything works fine, but when I spin up 50 threads on the client to hit the server "simultaneously" with…
Russ
  • 10,835
  • 12
  • 42
  • 57
1 2 3
69 70