This is an old revision of the document!
Options | Description | |
–version | print the tcpdump and libpcap version strings and exit | |
-h, –help | print the tcpdump and libpcap version strings, print a usage message, and exit | |
-B buffer_size | set the operating system capture buffer size to buffer_size, in units of KiB | |
-c count | exit after receiving count packets | |
-D | print the list of the network interfaces on which tcpdump can capture packets | |
-i interface | report the results of compiling a filter expression on interface | |
-n | don't convert addresses (host addresses, port numbers) to names | |
-s snaplen | truncate snaplen bytes of data from each packet rather than the default | |
-t | don't print a timestamp on each dump line | |
-v | produce more verbose output | |
-w file | write the raw packets to file rather than parsing and printing them out | |
-r file | read packets from file | |
-A | print each packet in ASCII |
a) Start a capture that stops by itself after getting 10 packets on all interfaces.
b) Have a look at the output. You can notice that host names are used instead of IP addresses, and commonly known port are replaced with application names. Use a command to display the IP addresses and port numbers instead of these names.
What does this mean? It means that tcpdump will keep all those bytes for analysis. We don't need all this information for now, so change the capture size to 96 bytes. The Ethernet, IP and TCP headers are the in the first 64 bytes of the packets, so capturing 96 bytes per packet is more than enough to capture these headers.
e) Repeat what you did for the previous task, but add -S to your tcpdump command. Figure out what has changed, and why.
The length field stands for packet length, and represents the number of bytes in the layer 4 headers, and it matches with the sequence numbers (packet_length = larger_seq_no - smaller_seq_no).
Super Hint: man tcpdump :P