Quick way to use tcpdump to grab packets
Well every now and again I need to grab packets going to and from a specific port on a server machine. The client side isn’t a problem as I have Wireshark installed on my workstation, but when dealing with server to server communications I prefer to use the command line. Most servers I deal with don’t have X-windows installed as there is no need to waist the resources on it.
Of course all Unix style OS’s usually have a program called tcpdump which can be used to collect the packets we are interested in. Being a very powerful tool the man page can be a bit long and it can be hard to get started with it.
Usually I want to grab the packets going to or from a specific port, e.g. port 25 for SMTP or 80 for HTTP. Here are two examples that show how easy it is to use tcpdump
tcpdump -w /tmp/smtp.pcap -s 1500 -i lo 'tcp port 25'
This example will grab all tcp packets going to or from port 25 on the local host interface (127.0.0.1) and
put them in the
/tmp/smtp.pcap file. This file is in the pcap format so you can copy it to your workstation
and dig into it with Wireshark. The
-s parameter specifies how much of the packet to grab, usually 1500 will
be enough to get the whole packet, but you may need to increase this if you find packets getting truncated.
tcpdump -w /tmp/http.pcap -s 1500 -i eth0 'tcp port 80'
This example will grab all tcp packets going to or from port 80 on the eth0 interface and put them in the
tmp/http.pcap file. Again we want all the packets so we use a size of 1500.