Tuesday, September 02, 2014:
TCPdump is a description of the contents of packets on a network interface which matches the expression specified on the command line. This can also be run with the w flag which save the packet data to a file for later analysis.
With the r flag it reads from a saved packet file rather than reading packets from a network interface. Tcpdump continues to capture packets until it gets disrupted by a SIGINT signal or a SIGTERM signal. If its run with the -c flag then it captures packets before getting interrupted by the signals or the specified number of packets have been processed.
When capturing packets is finished by Tcpdump it reports counts of the packets ‘captured’, packets ‘received by filter’ and packets ‘dropped by kernel’. On platforms which support the SIGINFO signal it reports counts when it receives the signal and continues capturing packets. Reading packets from a network interface may require that you have special privileges but reading a saved packet file doesn’t require any special privilege.
Here are the options:
1. You can print each packet in ASCII as it’s quite a handy option for capturing web pages.
2. You can print the AS number in BGP packets in ASDOT notation rather than the ASPLAIN notation. You can also set your operating system buffer size to buffer_size.
3. After you receive the count packets you need to exit. Before you write a raw packet to a savefile you need to check if the file is larger than file_size. If so then close the savefile and open a new one.
4. You can now dump the compiled packet-matching code in a human readable form to standard output and then stop. Then dump the packet-matching code as a C program fragment and also the packet-matching code as decimal numbers. Then you take a print of the list of the network interfaces available on the system and on which tcpdump can capture packets. This can be useful on systems which don’t have a command to list them.
5. Then you take a print of the link-level header on each dump line. Then you may use spi@ipaddr algo:secret for decrypting Ipsec ESP packets. This combination may be repeated with comma or newline separation.
6. Then you print ‘foreign’ IPv4 addresses numerically rather than symbolically. The test for ‘foreign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on which capturing is being done.
7. Then the dump file needs to be rotated with the -w option specifically and savefiles will have the name specified by -w which should include a time format as defined by strftime.
8. Then take a print of the tcpdump and libpcap version strings, print a usage message, and exit.
9. Then listen to the interface and if unspecified then the tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Put the interface in “monitor mode” as it is supported only on IEEE 802.11 Wi-Fiinterfaces, and on some operating systems.
10. You have to set the time stamp type for the capture to tstamp_type. Then you can list the supported time stamp types for the interface and exit.
11. Make a list of the supported time stamp types for the interface and exit.
12. Make the stdout line buffered. It can be useful if you want to see the data while capturing it. For example, tcpdump -l | tee dat or tcpdump -l dat tail -f dat
13. Make a list of the known data link types for the interface, in the specified mode, and exit.
14. Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names and also don’t print domain name qualification of host names.
15. The packet-matching code optimizer sould not be run as this is useful only if you suspect a bug in the optimizer.
16. Don’t put the interface into promiscuous mode.
17. Always indulge in quick/quiet output. Print less protocol information so output lines are shorter.
18. You can assume that ESP/AH packets are to be based on old specification (RFC1825 to RFC1829). Packets can be read from file (which was created with the-w option). Standard input is used if file is “-“.
19. You should print absolute, rather than relative, TCP sequence numbers.
20. Force packets selected by “expression” to be interpreted the specified type. Don’t print a timestamp on each dump line and don’t print an unformatted timestamp on each dump line. You need to print a delta (micro-second resolution) between current and previous line on each dump line.
21. Print undecoded NFS handles. If the -w option is not specified, then make the printed packet output “packet-buffered”.
22. When parsing and printing, produce (slightly more) verbose output.
23. Write the raw packets to file rather than parsing and printing them out.
24. When parsing and printing, you should print the data of each packet (minus its link level header) in hex ans ASCII. The smaller of the entire packet or snaplen bytes will be printed.
25. Set the data link type while capturing packets to datalinktype.
26. If the conjunction is used with the -C or -G options, then tcpdump runs “command file” where file is the savefile being closed after each rotation. If tcpdump is running as root then you should change the user ID to user and the group ID to the primary group of user. This behavior can also be enabled by default at compile time.
Courtesy: Computer Hope
Sanchari Banerjee, EFYTIMES News Network