Stack Overflow
Stack Overflow

Questions tagged [tcpdump]

tcpdump is a common packet analyzer that runs under the command line, utilizing BPF (Berkeley Packet Filter) language

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. tcpdump relies on the underlying libpcap packet capture library.

1045 questions
6
votes
0 answers

How to replay encrypted traffic with libopenssl?

We have an HTTP client based on libuv and libopenssl for TLS, written in C++ - with it's own TCP wrapper around lubuv and HTTP parser. Usually it just works and our servers make millions of successful HTTPS requests to social networks with it. And…
Grigorii Smorkalov
  • 61
  • 3
6
votes
0 answers

How to debug the reason of an unclosed CLOSE_WAIT connections? (tcpdump etc.)

We have Java-application and Nginx as a reverse-proxy installed on the same host. Periodically, we got CLOSE_WAIT connections hanging long time: $ ss -n4t | head State Recv-Q Send-Q Local Address:Port Peer Address:Port CLOSE-WAIT 1 0 …
Muravyev Maxim
  • 121
  • 7
6
votes
2 answers

Debian 7.11 - How to capture SMPP all arrived and sent packets by some ports

I'm using following code for capturing incoming and outgoing tcp packets by ports: tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 -w /home/admin/dump1.cap But tcpdump captures only incoming packets, I need incoming and outgoing…
SBotirov
  • 13,872
  • 7
  • 59
  • 81
6
votes
1 answer

What's the meaning of "ecr" option in tcpdump?

19:25:47.629351 IP 2.2.2.2.80 > 1.1.1.1.31889: Flags [.], seq 2372487272:2372492544, ack 2808407165, win 122, options [nop,nop,TS val 911640439 ecr 235835291], length 5272 19:25:47.631626 IP 1.1.1.1.31889 > 2.2.2.2.80: Flags [.], ack 2372480682, win…
Dan
  • 3,221
  • 7
  • 27
  • 24
6
votes
1 answer

Any easy way to monitor HTTP gzipped traffic on a live running Linux system?

I'm running "sudo tcpdump -s 0 -A port 80" on my Linux system to monitor HTTP traffic. This works, but all of the traffic is gzipped. Is there any easy way to un-compress this on the fly so I can watch the traffic in real-time?
SeanLabs
  • 1,739
  • 4
  • 18
  • 22
6
votes
1 answer

Converting NFLOG pcap to Ethernet pcap

I need to sniff traffic for particular linux users (UID's). I'm doing it with iptables/NFLOG (http://wiki.wireshark.org/CaptureSetup/NFLOG) which works great. My problem is that NFLOG changes pcap encapsulation to "NFLOG" (from "Ethernet") and some…
Lukasz Kujawa
  • 3,026
  • 1
  • 28
  • 43
6
votes
3 answers

Tcpdump trace on android - could not load library "libssl.so" needed by "/system/bin/tcpdump"

I need to do tcpdump trace on my android devices. My setup: Push tcpdump file to sdcard adb push filepath/tcpdump /sdcard/tcpdump Copy file to /system/bin Give root privileges to tcpdump file adb shell cd /system/bin su chmod 777 tcpdump Install…
KnightWhoSayNi
  • 570
  • 1
  • 5
  • 14
6
votes
3 answers

pcap files and endianness

Running the file command against a pcap file will print out something along the lines of - $ file pcap.pcap pcap.pcap: tcpdump capture file (little-endian) - version 2.4 .... I've been looking for a way to create a big-endian capture file, or…
RyPeck
  • 7,830
  • 3
  • 38
  • 58
6
votes
1 answer

Skip the IP headers with tcpdump

I'm using tcpdump to debug an SSDP service. $ sudo tcpdump -Aq udp port 1900 When printing the UDP packets, I'm getting a lot of gibberish before the HTTP headers I presume to be the IP and UDP headers. How do I suppress printing these, and just…
Matt Joiner
  • 112,946
  • 110
  • 377
  • 526
5
votes
2 answers

"Replay" tcpdump file

I am writing a program for analyzing certain type of packets. I got the dump file containing test packets in tcpdump format. is there any way to send this dump into one of the interfaces? I thought tcpdump would be able to do this on its own…
Blackie123
  • 1,271
  • 4
  • 16
  • 22
5
votes
2 answers

RTT calculation using tcptrace

For the below attached tcptrace output (this is taken from the site http://tcptrace.org/manual/index.html under RTT stats) 1 arg remaining, starting with 'indica.dmp.gz' Ostermann's tcptrace -- version 6.4.5 -- Fri Jun 13, 2003 153 packets seen,…
noob
  • 93
  • 1
  • 6
5
votes
0 answers

Replaying pcap on loopback

I have a set of pcap files containing UDP traffic from two hosts, and have to perform some analysis on this traffic on a regular basis. Ideally, I would want to avoid having to frequently setup local interfaces with specific IPs and such to replay…
NewbiZ
  • 2,395
  • 2
  • 26
  • 40
5
votes
1 answer

TCP Server sends [ACK] followed by [PSH,ACK]

I am working on a high-performance TCP server, and I see the server not processing fast enough on and off when I pump high traffic using a TCP client. Upon close inspection, I see spikes in "delta time" on the TCP server. And, I see the server…
user2548514
  • 53
  • 1
  • 2
  • 4
5
votes
3 answers

How to live-decrypt WPA/WPA2-PSK using tcpdump?

Here my Problem: If I am connected to a network (so I know the WPA/WPA2-PSK), I´d like to be able to decrypt the traffic I capture from other devices in the network. (If WEP is used, tcpdump does this automatically). As far as I know, WPA uses…
koch.trier
  • 604
  • 8
  • 21
5
votes
0 answers

scapy sniff using remote host's interface

I want to sniff some packets using scapy, but not from the interface of own host, but want to sniff from a remote host (e.g. 192.168.1.x) and its interface. is this possible with python and scapy and/or paramiko tunnel with…
yananet
  • 101
  • 6
1 2 3
69 70