From Gentoo Wiki
Jump to: navigation, search


tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.


USE flags

USE flags for net-analyzer/tcpdump A Tool for network monitoring and data acquisition

drop-root Drop privileges to tcpdump:tcpdump when run as root local
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
samba Add support for SAMBA (Windows File and Printer sharing) global
smi Build with net-libs/libsmi to load MIBs on the fly to decode SNMP packets local
ssl Add support for Secure Socket Layer connections global
suid Enable setuid root program, with potential security risks global
test Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore global


Install tcpdump:

root #emerge --ask net-analyzer/tcpdump



In order for normal users to run tcpdump the program should be built with the suid flag enabled and the user(s) should be added to the tcpdump group.

root #USE="suid" emerge -a --changed-use tcpdump

Do this by using the usermod command where <username> is user's username:

root #usermod -a -G tcpdump <username>



The root user can invoke tcpdump at any time:

root #tcpdump -h
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:

user $/usr/sbin/tcpdump

Listing interfaces

To discover the interfaces available to tcpdump issue the following command:

user $/usr/sbin/tcpdump --list-interfaces

Specifying an interface

After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:

user $/usr/sbin/tcpdump -i <interface_name>

Where <interface_name> is either the number of the interface or the string version of the name.

Write output to a file

Running tcpdump with the -w instructs the program to write output to a file. This is helpful to future analysis:

user $/usr/sbin/tcpdump -w /tmp/output

Read input from a file

user $/usr/sbin/tcpdump -r /tmp/output

See also

  • Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
  • nmap — used to check for open ports, what is running on those ports, and header information
  • Wireshark — a free and open-source packet analyzer.

External resources