Sniffing with TCPDump

Posted August 28, 2004 by lvance in UNIX

The following tutorial explains sniffing a network with TCPDump. TCPDump comes installed on Linux by default. You will have to install the package if you plan to use this with Solaris.

To sniff all traffic across an interface (Port-mon is your friend.), use the commands below.

tcpdump -w testsniff -c 6000
-This sniffs everything and stops when it reaches a 6000 packet count. It is best used when you have heavy traffic. It puts this sniff into a file named “testniff.” Most Packet analyzers can read a TCPDump file format.

tcpdump host x.x.x.x -c 1000
-This sniffs a specific host with a count of 1000 packets.

tcpdump -i eth0 host x.x.x.x -c 1000
-This sniffs on eth0 for multiple interface boxes. It works well for sniffing firewall interfaces with DMZ’s, etc.

The preceding information is a simple description. Read man tcpdump to discover how powerful TCPDump can be.

The Conversation

Follow the reactions below and share your own thoughts.