TCPDUMP command is also called as packet analyzer.
- The command in general:
- Capital S means ‘Specific’ i.e. just traffic to and from the host you specify
- Lowercase s means the maximum size of the packet. ‘0’ means anything.
- pipe “|” tee means send it to the file and the console.
- TCPdump on a CPAM server does work. The path just isn’t set up. Use the command with its full path: /usr/sbin/tcpdump
# tcpdump -i eth0 –s 2000 host <IP of client PC> –w <file>.pcap
- capture packets from specific port to a file and to console
# tcpdump -i eth0 -n port 80 -l | tee tcp.pcap
- capture packets from specific port to a file
# tcpdump -i eth0 -n port 80 -s 0 -w tcp.pcap
- capture packets from specific host to a file
# tcpdump -i eth0 -S host xx.xx.xx.xx -s 0 -w tcp.pcap
- capture packets to port 80 but not from one host
# tcpdump -i eth0 -S port 80 and not host xx.xx.xx.xx -l | tee tcp.pcap
- capture packets to or from a host and write it to a UTC timestamped file
# date +%T --utc | ( read -a line;/usr/sbin/tcpdump -i eth0 -s0 -w packet-$line.cap host 10.154.66.151 )