From Gentoo Wiki
Jump to:navigation Jump to:search

tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.


USE flags

USE flags for net-analyzer/tcpdump A tool for network monitoring and data acquisition

drop-root Drop privileges to pcap:pcap when run as root
samba Add support for SAMBA (Windows File and Printer sharing)
smi Build with net-libs/libsmi to load MIBs on the fly to decode SNMP packets
ssl Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
suid Enable setuid root program(s)
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)


Install tcpdump:

root #emerge --ask net-analyzer/tcpdump



In order for normal users to run tcpdump the program should be built with the suid flag enabled and the user(s) should be added to the pcap group.

root #USE="suid" emerge -a --changed-use tcpdump

Do this by using the usermod command where <username> is user's username:

root #usermod -a -G pcap <username>



The root user can invoke tcpdump at any time:

root #tcpdump -h
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:

user $/usr/sbin/tcpdump

Listing interfaces

To discover the interfaces available to tcpdump issue the following command:

user $/usr/sbin/tcpdump --list-interfaces

Specifying an interface

After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:

user $/usr/sbin/tcpdump -i <interface_name>

Where <interface_name> is either the number of the interface or the string version of the name.

Write output to a file

Running tcpdump with the -w instructs the program to write output to a file. This is helpful to future analysis:

user $/usr/sbin/tcpdump -w /tmp/output

Read input from a file

user $/usr/sbin/tcpdump -r /tmp/output

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
  • Wireshark — a free and open-source packet analyzer.

External resources