Dump packets using tcpdump command and open it using wireshark
Environment and Prerequisite
- Linux base system
- Bash shell(/bin/bash)
- tcpdump command
What is tcpdump command?
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]
tcpdump: prints out a description of the contents of packets on a network interface with various options.
- It scans all packets on network so it needs root privilege
Save specific interface’s packets as file
-i [inferface name]: give interface name as option
-w [file name]: give file name as option
tcpdump -i [interface name] -w [file name]
eth0interface’s packets as
pcap: packet captured file format used in wireshark
Ctrl + Cto quit capturing.
$ sudo tcpdump -i eth0 -w test.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 860 packets captured 862 packets received by filter 0 packets dropped by kernel
What is wireshark?
- The world’s foremost and widely-used network protocol analyzer.
- It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
Open pcap file using wireshark
- (방법1) Drag-and-drop is also possible
- (방법2) Choose file in File-Open tab
Filtering using ip address
- If you want to filter specific ip address, then add filter to menu’s “Apply a display filter”
ip address filter
ip.addr==X.X.X.X ip.src==X.X.X.X ip.dst==X.X.X.X
(ip.src==X.X.X.X) || (ip.dst==X.X.X.X)
(ip.src==X.X.X.X) && (ip.dst==X.X.X.X)