Dump packets using tcpdump command and open it using wireshark
Environment and Prerequisite
- Linux base system
- Bash shell(/bin/bash)
- tcpdump command
- Wireshark
tcpdump command
What is tcpdump command?
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
tcpdump
: prints out a description of the contents of packets on a network interface with various options.- It scans all packets on network so it needs root privilege
Save specific interface’s packets as file
Basic usage
-i [inferface name]
: give interface name as option-w [file name]
: give file name as option
tcpdump -i [interface name] -w [file name]
Example
- Save
eth0
interface’s packets astest.pcap
pcap
: packet captured file format used in wireshark- Use
Ctrl + C
to quit capturing.
$ sudo tcpdump -i eth0 -w test.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
860 packets captured
862 packets received by filter
0 packets dropped by kernel
Wireshark
What is wireshark?
- The world’s foremost and widely-used network protocol analyzer.
- It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
Open pcap file using wireshark
- (방법1) Drag-and-drop is also possible
- (방법2) Choose file in File-Open tab
Filtering using ip address
- If you want to filter specific ip address, then add filter to menu’s “Apply a display filter”
ip address filter
ip.addr==X.X.X.X
ip.src==X.X.X.X
ip.dst==X.X.X.X
AND condition
(ip.src==X.X.X.X) || (ip.dst==X.X.X.X)
OR condition
(ip.src==X.X.X.X) && (ip.dst==X.X.X.X)