tcpdump

From Gentoo Wiki
Jump to: navigation, search
Resources

tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.

Installation

USE flags

USE flags for net-analyzer/tcpdump A Tool for network monitoring and data acquisition

drop-root Drop privileges to tcpdump:tcpdump when run as root local
samba Add support for SAMBA (Windows File and Printer sharing) global
smi Build with net-libs/libsmi to load MIBs on the fly to decode SNMP packets local

Emerge

Install tcpdump:

root #emerge --ask net-analyzer/tcpdump

Configuration

SUID

In order for normal users to run tcpdump the program should be built with the suid flag enabled and the user(s) should be added to the tcpdump group.

root #USE="suid" emerge -a --changed-use tcpdump

Do this by using the usermod command where <username> is user's username:

root #usermod -a -G tcpdump <username>

Usage

Invocation

The root user can invoke tcpdump at any time:

root #tcpdump -h
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:

user $/usr/sbin/tcpdump

Listing interfaces

To discover the interfaces available to tcpdump issue the following command:

user $/usr/sbin/tcpdump --list-interfaces

Specifying an interface

After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:

user $/usr/sbin/tcpdump -i <interface_name>

Where <interface_name> is either the number of the interface or the string version of the name.

Write output to a file

Running tcpdump with the -w instructs the program to write output to a file. This is helpful to future analysis:

user $/usr/sbin/tcpdump -w /tmp/output

Read input from a file

user $/usr/sbin/tcpdump -r /tmp/output

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports
  • Wireshark — a free and open-source packet analyzer.

External resources