tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.
USE flags for net-analyzer/tcpdump A Tool for network monitoring and data acquisition
||Drop privileges to pcap:pcap when run as root|
||Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)|
||Add support for SAMBA (Windows File and Printer sharing)|
||Build with net-libs/libsmi to load MIBs on the fly to decode SNMP packets|
||Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)|
||Enable setuid root program, with potential security risks|
||Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)|
emerge --ask net-analyzer/tcpdump
In order for normal users to run tcpdump the program should be built with the
suid flag enabled and the user(s) should be added to the tcpdump group.
USE="suid" emerge -a --changed-use tcpdump
Do this by using the usermod command where
<username> is user's username:
usermod -a -G tcpdump <username>
The root user can invoke tcpdump at any time:
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ] [ -Q in|out|inout ] [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ] [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ]
When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:
To discover the interfaces available to tcpdump issue the following command:
Specifying an interface
After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:
/usr/sbin/tcpdump -i <interface_name>
<interface_name> is either the number of the interface or the string version of the name.
Write output to a file
Running tcpdump with the
-w instructs the program to write output to a file. This is helpful to future analysis:
/usr/sbin/tcpdump -w /tmp/output
Read input from a file
/usr/sbin/tcpdump -r /tmp/output
- Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
- Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
- Wireshark — a free and open-source packet analyzer.
- http://www.tcpdump.org/manpages/pcap.3pcap.html - The tcpdump man page hosted on the web.