By Dr. J on 2020-07-18 06:05:24tcpdump is one of those tools that everybody uses, but nobody ever bothers to read the "man" page for. After all... it isn't that hard. All you need to know is to always use "-n", read your files with -r and write with -w. Once you figured out what your interfaces are called with '-i'... you are all set. Or? Well, there are a few options that I find many people ignore.
tcpdump -DFirst of all, in the "good old days", if you used Linux like anybody collecting packet should (really? there are people who *like* BSD? ;-) ), your interface to sniff was "eth0". Who ever had the sad idea to call "enp0s10" a "predicatable name" ? Anyway. I am moving away on tangents... The new switch to remember now: "-D". "-D" has one advantage over "ifconfig": It only lists interfaces you are actually authorized to use. And if you ever ran "ifconfig" on MacOS, you will also appreciate the more compact output format as MacOS has about a dozen different interfaces, and nobody actually knows what they are for (sending money to Apple? NSA spying interfaces? Implants installed at the Chinese factory?).
tcdump -gI am old enough to remember a time when you could use "wc -l" or "grep" on tcpdump output even if the "-v" switch was enabled. But in "modern" tcpdump, once you enable "-v", you will get two lines of output vs. one, and things like grep/wc get a bit more messy. -g to the rescue. -g essentially switched tcpdump back to the old behaviour of not inserting a line break after the IP header in verbose mode.
tcpdump -c 90,100We all know "-c X" which will display the first X packets. But inevitably, the next question is "If I can display the first 100 packets, how do I only display packet 91-100?". My old snarky answer in class was: Just scroll up the terminal until the first 90 lines are gone! This is no longer the only answer. tcpdump recently added a variation to the -c switch. If you provide two numbers, like "90,100", the first number is the number of packets to skip, the second number of the packet to stop at. So 90,100 will display packet 91 to 100.
tcpdump -# (--number)talking about packet numbers: -# will add a packet number to the line (or --number if you like to wear out your keyboard by typing more)
tcpdump -k N,PEvery heard a "friend" running windows rave about the new Windows packet capturing tool? If that person is still your friend: Show him that even tcpdump can now add metadata like process IDs to the packet (if it feels like it). This takes advantage of the pcapng format, and adds this additional data as a comment. Possible data includes processid, name, user id, interface names and more. (N: process name, P: process ID). Oh. and this option will only work on Apple's version of tcpdump. Sorry Linux users.
tcpdump -Ptalking about Apple modifications to tcpdump: -P will save files in pcap-ng format.
tcpdump -n -nn -NRTFM on that one. What is your favorite "hidden" tcpdump feature? -- follow me on twitter for more packets. twitter.com/johullrich