tcpdump

From Gentoo Wiki
Jump to: navigation, search


Resources

tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.

Installation

USE flags

Cannot load package information. Is the atom net-analyzer/tcpdump correct?

Emerge

Install tcpdump:

root #emerge --ask net-analyzer/tcpdump

Configuration

SUID

In order for normal users to run tcpdump the program should be built with the suid flag enabled and the user(s) should be added to the tcpdump group.

root #USE="suid" emerge -a --changed-use tcpdump

Do this by using the usermod command where <username> is user's username:

root #usermod -a -G tcpdump <username>

Usage

Invocation

The root user can invoke tcpdump at any time:

root #tcpdump -h
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:

user $/usr/sbin/tcpdump

Listing interfaces

To discover the interfaces available to tcpdump issue the following command:

user $/usr/sbin/tcpdump --list-interfaces

Specifying an interface

After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:

user $/usr/sbin/tcpdump -i <interface_name>

Where <interface_name> is either the number of the interface or the string version of the name.

Write output to a file

Running tcpdump with the -w instructs the program to write output to a file. This is helpful to future analysis:

user $/usr/sbin/tcpdump -w /tmp/output

Read input from a file

user $/usr/sbin/tcpdump -r /tmp/output

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • nmap — used to check for open ports, what is running on those ports, and header information
  • Wireshark — a free and open-source packet analyzer.

External resources