Tcpdump: Difference between revisions

From Hackepedia
Jump to navigationJump to search
No edit summary
Frankk (talk | contribs)
No edit summary
Line 1: Line 1:
tcpdump is a [[OSI]] layer 2+ sniffer.  It'll sniff [[Ethernet]], [[PPP]], [[SLIP]].  The name is misleading since [[TCP]] is on [[OSI]] layer 4.  tcpdump uses a library called [[libpcap]] which is a library that implements datalink (layer 2) capturing facilities.  In [[BSD]] libpcap uses the [[bpf]] interface to access the data link.
tcpdump is a [[OSI]] layer 2+ sniffer.  It'll sniff [[Ethernet]], [[PPP]], and [[SLIP]].  The name is misleading since [[TCP]] is on [[OSI]] layer 4.  tcpdump uses a library called [[libpcap]] which is a library that implements datalink (layer 2) capturing facilities.  In [[BSD]] libpcap uses the [[bpf]] interface to access the data link.


In [[OpenBSD]] one can only use tcpdump as [[root]].  This is a new implementation to ensure that privilege seperation works.
In [[OpenBSD]] one can only use tcpdump as [[root]].  This is a new implementation to ensure that privilege seperation works.
Line 7: Line 7:
  tcpdump: listening on pppoe0, link-type PPP_ETHER
  tcpdump: listening on pppoe0, link-type PPP_ETHER
  13:35:51.690236 85.75.39.172 > 206.248.137.44: icmp: echo request (id:8e2c seq:0) (ttl 255, id    45180, len 84)
  13:35:51.690236 85.75.39.172 > 206.248.137.44: icmp: echo request (id:8e2c seq:0) (ttl 255, id    45180, len 84)
If you have pflog0 enabled (BSD pf firewall) you can watch your logged packets with:
# tcpdump -vvv -e -ttt -i pflog0
which uses an even more verbose output, includes the link-level header for each line, as well as the delta (in micro-seconds) between current and previous lines.

Revision as of 21:31, 26 October 2005

tcpdump is a OSI layer 2+ sniffer. It'll sniff Ethernet, PPP, and SLIP. The name is misleading since TCP is on OSI layer 4. tcpdump uses a library called libpcap which is a library that implements datalink (layer 2) capturing facilities. In BSD libpcap uses the bpf interface to access the data link.

In OpenBSD one can only use tcpdump as root. This is a new implementation to ensure that privilege seperation works.

Here is an example of seeing ICMP packets of type 8 (ECHO REQUEST or ping packets):

# tcpdump -v -n -i pppoe0 icmp[0] == 8 
tcpdump: listening on pppoe0, link-type PPP_ETHER
13:35:51.690236 85.75.39.172 > 206.248.137.44: icmp: echo request (id:8e2c seq:0) (ttl 255, id    45180, len 84)

If you have pflog0 enabled (BSD pf firewall) you can watch your logged packets with:

# tcpdump -vvv -e -ttt -i pflog0

which uses an even more verbose output, includes the link-level header for each line, as well as the delta (in micro-seconds) between current and previous lines.