"tcpdump" is one of those utilities we take for granted. Ask in any networking class, and more or less everybody has used it before and knows how to use it. tcpdump was first written in 1987 as a research project. Since then, the library behind it (libpcap) and the tool itself have been ported to more or less any operating system out there and have been incorporated into too many tools to count (Bill Stearn tried [1]). What is often overlooked: tcpdump is still actively developed. Right now, the latest version is 4.1.1 with libpcap version 1.1.1 [2]. Many operating systems use version 4.0 now by default. So what changed? What are the things you may not know about tcpdump? Here are some of the favorite items I ran into and please fill free to submit more.
Know any more "hidden and forgotten features"? Let us know....
------ |
Johannes 4473 Posts ISC Handler Jun 3rd 2010 |
Thread locked Subscribe |
Jun 3rd 2010 1 decade ago |
Hi Johannes, it seems that my copy of tcpdump (4.0 on Ubuntu Server) gives a default capture size of 96 bytes.
|
Daniel M. 4 Posts |
Quote |
Jun 4th 2010 1 decade ago |
Here's a good one:
tcpdump 'tcp[13] = 6' ...to find all packets with both the SYN and RST flags set. |
Daniel M. 4 Posts |
Quote |
Jun 4th 2010 1 decade ago |
And all the traffic with the evil bit set:
tcpdump 'ip[6] & 128 != 0' |
Daniel M. 4 Posts |
Quote |
Jun 4th 2010 1 decade ago |
interesting about the 96 bytes. I just checked the Ubuntu man page for tcpdump, and it actually states it is 64 bytes but "with SunOSs NIT, the minimum is actually 96". Will research this a bit more.
For everybody else: a nice tcpdump intro from Daniel: danielmiessler.com/study/tcpdump/ |
Johannes 4473 Posts ISC Handler |
Quote |
Jun 4th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!