TCPDUMP command is also called as packet analyzer.

  • The command in general:
    • Capital S means ‘Specific’ i.e. just traffic to and from the host you specify
    • Lowercase s means the maximum size of the packet. ‘0’ means anything.
    • pipe “|” tee means send it to the file and the console.
    • TCPdump on a CPAM server does work. The path just isn’t set up. Use the command with its full path: /usr/sbin/tcpdump
# tcpdump -i eth0 –s 2000 host <IP of client PC> –w <file>.pcap
  • capture packets from specific port to a file and to console
# tcpdump -i eth0 -n port 80 -l | tee tcp.pcap
  • capture packets from specific port to a file
# tcpdump -i eth0 -n port 80 -s 0 -w tcp.pcap
  • capture packets from specific host to a file
# tcpdump -i eth0 -S host xx.xx.xx.xx -s 0 -w tcp.pcap
  • capture packets to port 80 but not from one host
# tcpdump -i eth0 -S port 80 and not host xx.xx.xx.xx -l | tee tcp.pcap
  • capture packets to or from a host and write it to a UTC timestamped file
# date +%T --utc | ( read -a line;/usr/sbin/tcpdump -i eth0 -s0 -w packet-$line.cap  host  10.154.66.151 )

 

Please follow and like us: