tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.
USE flags for net-analyzer/tcpdump A Tool for network monitoring and data acquisition
||Drop privileges to tcpdump:tcpdump when run as root||local|
||Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag||global|
||Add support for SAMBA (Windows File and Printer sharing)||global|
||Build with net-libs/libsmi to load MIBs on the fly to decode SNMP packets||local|
||Add support for Secure Socket Layer connections||global|
||Enable setuid root program, with potential security risks||global|
||Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore||global|
emerge --ask net-analyzer/tcpdump
In order for normal users to run tcpdump the program should be built with the
suid flag enabled and the user(s) should be added to the tcpdump group.
USE="suid" emerge -a --changed-use tcpdump
Do this by using the usermod command where
<username> is user's username:
usermod -a -G tcpdump <username>
The root user can invoke tcpdump at any time:
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ] [ -Q in|out|inout ] [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ] [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ]
When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:
To discover the interfaces available to tcpdump issue the following command:
Specifying an interface
After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:
/usr/sbin/tcpdump -i <interface_name>
<interface_name> is either the number of the interface or the string version of the name.
Write output to a file
Running tcpdump with the
-w instructs the program to write output to a file. This is helpful to future analysis:
/usr/sbin/tcpdump -w /tmp/output
Read input from a file
/usr/sbin/tcpdump -r /tmp/output
- Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
- nmap — used to check for open ports, what is running on those ports, and header information
- Wireshark — a free and open-source packet analyzer.
- http://www.tcpdump.org/manpages/pcap.3pcap.html - The tcpdump man page hosted on the web.