Questions tagged [tcpdump]
a command line packet analyzer
282 questions
0
votes
1
answer
62
views
Detecting outbound mail
My VMs IPv6 address occasionally get on a blocklist. Their "evidence" is that they claim something is making outbound connections to port 25 and issuing an EHLO of an IP address, not a ...
- 169
2
votes
0
answers
62
views
Unexpected packet loss on 10Gbps NIC even under low traffic (~10Mbps)
I'm experiencing unexpected packet loss on a 10Gbps Intel NIC (ixgbe driver) even when traffic is only around 10Mbps. The setup is a test environment using tcpdump to capture packets on Ubuntu 22.04 ...
- 21
1
vote
1
answer
207
views
Tcpdump captures CAN bus frames twice
I'm writing a Wireshark dissector for our CAN bus protocol and I've noticed that tcpdump captures CAN frames twice and its output differs from candump program.
For example, when I execute following ...
2
votes
1
answer
759
views
Why am I getting no output in tcpdump even though there is data being sent and received when using network namespaces?
I'm using a fresh minimal Ubuntu server 24.04.1 LTS install.
I run these commands as root to set up networking and do some experiments:
If you have seen this post, it's the same setup but with the ip ...
- 261
0
votes
1
answer
135
views
tcpdump: How to show only Push-flag packets?
How can I filter tcpdump output (normal screen, not -w) to only see lines with flag [P]?
Running tcpdump 4.99 on Debian 12
- 1,049
5
votes
1
answer
617
views
why `tcpdump -i any` can't capture unicast traffic in br0 whilst `tcpdump -i br0` can?
I am unable to capture unicast traffic on the br0 (linux bridge) interface using the command tcpdump -nni any -vvv. Broadcast traffic, however, is captured as expected. Interestingly, unicast traffic ...
- 187
2
votes
2
answers
531
views
traceroute (UDP) lost packets
I am facing the following issue when running traceroute between two nodes in the same subnet.
This is done as a test whether the network connection between this 2 nodes is reliable or not.
We were ...
- 278
0
votes
1
answer
265
views
How to record packet/frames data without a pcap header
I'm trying to capture raw/binary Ethernet traffic from my interface, so I can parse it using C. I don't want to parse any PCAP headers. I would prefer without the preamble and end bytes, but it's okay ...
- 181
2
votes
2
answers
129
views
tcpdump takes O(n²) time to parse filter
I run tcpdump with a filter like:
not (
(host 1.165.155.169 and port 4444)
or (host 1.168.68.116 and port 4444)
or (host 1.173.192.253 and port 4444)
or (host 1.174.97.43 and port 4444)
:...
- 37.6k
0
votes
0
answers
316
views
Is possible to "sniff" a socket? Socat doesn't work
This is the situation:
I have two VM (virtual machines) via kvm-qemu
connected via virtual-serial (a socket).
I created the two vm's with this serial configuration:
serial1 (slackware, uses port1 ...
- 14.5k
0
votes
1
answer
116
views
tcpdump doesn't appear to call any libpcap's exported function
Digging into tcpdump implementation, I can see that it actually loads the libpcap.so dynamic library in userspace.
However, by use of strace, I can't see any occurrence of calls to any function ...
- 385
0
votes
1
answer
864
views
How to enable a host to reply to multicast ping
I'm experimenting with multicast traffic within my wireless network and tried to ping some pre-defined multicast address:
$ ping 224.0.0.251
The ip address of the ping machine is 192.168.0.11. So I ...
- 297
0
votes
0
answers
54
views
Identify service/script running on a port
System specs:
Linux client 3.10.0-123.20.1.el7.x86_64 #1 SMP Centos 5
I am having some blockages on my DC. I have identified the machine that is making the requests. I also analyzed the outgoing ...
- 21
0
votes
0
answers
496
views
Print entire 802.11 WiFi Ethernet frame header with tcpdump (or anything else)
I'm currently learning about WiFi Ethernet frames and want to sniff raw ethernet traffic from my laptop's WiFi adapter. Running
sudo tcpdump -vvv -n -i wifi0 -e
prints something like the following:
...
- 297
0
votes
0
answers
89
views
Why doesn't my wi-fi router send STP frames?
I'm learning about Spanning Tree Protocol and was trying to capture STP frames sent from my wi-fi router by tcpdump. Here is the command:
sudo tcpdump -vv -n -i en0 stp
and for pretty large period ...
- 297
0
votes
2
answers
72
views
Pinging two PCs and trying to capture ICMPs with third PC
I have a setup of three computers that are all on the same subnet and connected to a switch. All services are reachable. I'm pinging from PC(1) to PC(2). Opening tshark with PC(3) but cannot see ...
- 83
3
votes
1
answer
2k
views
Why can I capture all incoming packet even the promiscuous mode is not enabled?
I use the command below to capture the bypass packet on interface ens160 :
tcpdump -i ens160 -w test.pcap
During this time, I use commands below to check if the promiscuous mode is enabled on ens160 :...
- 133
1
vote
0
answers
79
views
Issues with BPF filters and 6to4 traffic
I have a pcap file captured with tcpdump: tcpdump -w out.pcap -ni eno1 host 192.88.99.1
I can view the pcap:
rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt | head
reading from file andy.tcpd, link-...
- 231
1
vote
1
answer
252
views
I see only DHCP requests but not DHCP responses from "parallel" computer
I have two Raspberry Pies and one DHCP server connected to a switch. Raspi #2 is configured to do netboot.
I am sitting on Raspi #1 and doing
tcpdump 'ether host b8:27:eb:5d:4a:f6' -p -i eth0 -vv
I ...
- 3,485
2
votes
1
answer
1k
views
tcpdump display packets with high delay
I used tcpdump to capture packets from local rsyslog service to syslog server, however, when I tried different commands (with/without dst option) in tcpdump, the displayed result has a delay.
Expected/...
- 23
1
vote
0
answers
79
views
TCPDUMP Missing response Code header in Back to back execution
I am running two TCPDUMP Commands back to back. Here is the sequence
Run the below command
root@open5Gs:/home/test# tcpdump -l -vvv -s0 -i any -B 4096 -nn -w /home/test/tc060.pcap -c 1500
Execute ...
1
vote
1
answer
873
views
Can `tcpdump ether host` filter with a mask to get, for example, hosts with a specific OUI?
I'm trying to filter traffic by src ether host to see all devices with a specific MAC prefix. If this were like IP, it might filter with src ether host aa:bb:cc:00:00:00/24 to see OUI's matching aa:...
- 535
0
votes
1
answer
354
views
Decoding wireless captures / filters on Linux
I am trying to filter a capture file that was captured by a remote AP. If i pull the file to my laptop i can open in Wireshark decode as peekremote and create the display filter EAPOL to get the ...
- 101
1
vote
0
answers
816
views
tcpdump -i any and slave interfaces
The core requirement can be expressed as "filtering out slave interfaces from -i any".
In this case, packets leaving on a vlan for bond0 should not also be retrieved for bond0, or the ...
- 13
1
vote
1
answer
2k
views
how can I parse tcpdump stream live?
I have a debian installation, where the OEM has a bunch of processes I dont recognize running, and I want to figure out if any of these things are dialing home.
I ran sudo tcpdump | grep ^e <ssh_ip&...
- 3,979
1
vote
1
answer
370
views
How to get aggregate packet information using a tool like tcpdump
I'd like to analyze packets in one of my VMs to see where how the network traffic is flowing. I found tcpdump which seems to be able to capture the packets. However, I'd like to find a way to ...
0
votes
1
answer
212
views
How can record all ip address visited from my pc with tcpdump?
I want to record all ip address requested from my local pc ,how can record all ip address with tcpdump?
- 215
0
votes
1
answer
2k
views
Why does tcpdump capture packets that are blocked by iptables? How to filter those packets out?
I am using this command to debug my SIP traffic tcpdump -i eth0 -nt port 5060 -v
and that outputs something like this:
IP (tos 0x0, ttl 113, id 6082, offset 0, flags [none], proto UDP (17), length 504)...
- 338
0
votes
0
answers
133
views
No results from TCPDUMP
I have a solar panel inverter which is wifi connected. When I run tcpdump I get zero output. I know it's using the wifi because when the broadband went down for several hours there was nothing ...
- 19
1
vote
0
answers
93
views
Why 802.1q protocal packet auto dropped by interface?
I transfer a series of test packet with IEC61850_SV protocal in my host as follows:
01 0C CD 04 00 03 00 0C CD 04 00 00 81 00 80 01 88 BA 40 03 01 24 00 00 00 00 60 82 01 18 80 01 01 A2 82 01 11 30 ...
- 11
0
votes
0
answers
220
views
Is there an optimized solution for tcpdump pulling a specific IP?
I made a script that runs tcpdump in the background:
nohup tcpdump -i $INTERFACENAME dst $IPC >> text.txt
And I made another script that pulls any IP address other than $IP from text.txt, but ...
1
vote
2
answers
5k
views
associate IP with hostname without editing /etc/hosts
I know I can associate hostname with my IP address in /etc/hosts:
1.2.3.4 foo
and then, for example in tcpdump output, I will see foo instead of my IP address (if -n was not used)
Anyways, can I ...
- 878
1
vote
1
answer
5k
views
tcpdump: always show numerical port numbers
The option -n in tcpdump is useful. Sometimes I prefer to see IP addresses, and sometimes I prefer to have the IP addresses resolved into hostnames.
But never do I want to have port numbers translated ...
- 878
5
votes
2
answers
12k
views
System clock not synchronized with NTP server using systemd-timesyncd
I followed this answer here, but it seems that my system clock doesn't synchronize with NTP server:
$ cat /etc/debian_version
10.9
$ egrep -v "^$|^#" /etc/systemd/timesyncd.conf
[Time]
NTP=x....
- 2,473
1
vote
1
answer
570
views
TCPDUMP IP UNKNOWN
I am seeing this in the tcpdump output
21:32:51.580969 IP UNKNOWN.9998 > 255.255.255.255.9998: UDP, length 12
What does 'IP UNKNOWN' mean? Is something hiding the ip address?
Thanks
- 19
1
vote
1
answer
459
views
tcpdump in Kali Linux VM does not capture scp between two devices
Situation:
I'm learning how to develop tests for a hardened server my company is developing for a client. The test configuration will consist of the test target (the server we're developing) and an ...
1
vote
2
answers
4k
views
Is possible to capture packets between two hosts from a third host in the same network?
I want to see traffic between two hosts from a third host, there are all on my network
I did this on the third host:
ip link set eth0 promisc on
tcpdump -vv -i eth0 -xX host 192.168.0.2 and host 192....
- 14.5k
10
votes
2
answers
5k
views
Understanding of BPF
When I need to capture some packets using tcpdump, I use command like:
tcpdump -i eth0 "dst host 192.168.1.0"
I always think the dst host 192.168.1.0 part is something called BPF, Berkeley ...
- 1,065
1
vote
1
answer
549
views
-Y and read {src,dst} port and tshark
tshark get data from interface or pcap files. When it read data from interface, user has to write filter with -f (accortding to pcap-filter(7)) and when read from file user has to write filter with -Y ...
- 11.3k
1
vote
1
answer
1k
views
how to modify pcap file for Additional Information in packet
I have one Pcap File which consist of Some Information.
I need to modify the data in the file.
Example:
As you can see There are details of packets and in Additional Record section I have TXT value ...
0
votes
1
answer
1k
views
Why can't assign permission for normal user?
Install tcpdump on my debian10:
sudo apt install -y tcpdump
which tcpdump
/usr/bin/tcpdump
groupadd pcap
usermod -a -G pcap $USER
sudo chgrp pcap /usr/bin/tcpdump
sudo chmod 750 /usr/bin/tcpdump
sudo ...
- 601
2
votes
2
answers
712
views
What does double n mean in tcpdump command?
The tcpdump manual shows:
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
I have seen double n in a tcpdump command:
https://danielmiessler.com/study/tcpdump/
...
- 601
2
votes
2
answers
139
views
Is it possible to regenerate a TCP request with the help of tcpdump
I'm developing a backend server and here is how the architecture of the backend looks like:
APP --> Server1 --> Server2 --> Server3 --> MyServer
APP sends a HTTP request to the Server1, ...
- 3,411
1
vote
1
answer
1k
views
IPTables issue between proxmox and pfsense VM
I'm kind of desperate with an IPTables issue.
I started to setup my own dedicated server which is a proxmox server. I have a pfSense VM to which all traffic is routed. I secured the LAN access by ...
- 75
0
votes
1
answer
121
views
tcpdump isn't storing packets to file upon power loss
I'm working on a pi device that I can plug into the network and it will automatically start packet capturing to a rotating file. The idea behind the device is that when one of my clients is having a ...
1
vote
0
answers
470
views
Does writing tcpdump output to a file on ramdisk have effect on the number of packets dropped?
When running tcpdump, I see that sometimes number of packets dropped by kernel is greater than zero (0). I was told to write to a file on ramdisk instead of a file on harddisk. I am not expert on ...
- 111
0
votes
0
answers
692
views
tcpdump, determine transport protocol
Is there a easy way to determine the transport protocol of a packet by looking at the output of a TCP dump trace?
I'd just like to be able to tell if a packet is UDP or TCP. I've tried using the -x ...
- 129
0
votes
0
answers
645
views
tcpdump to monitor snmp from subnet causing syntax error
I'm trying to monitor SNMP from 2 hosts on the same subnet; 10.52.17.31 and 10.52.17.32. They are on the only machines on that subnet.
Using the following commands I receive a syntax error:
tcpdump -...
- 129
1
vote
1
answer
526
views
Why tcpdump does not work with -w flag?
So I have a network that I want to scan with tcpdump and dump the captured traffic into a file.
Let's say I try:
sudo tcpdump net 192.168.0.0/24
tcpdump will start and will show the traffic in the ...
1
vote
0
answers
402
views
How does tcpdump choose the default NIC to listen on?
From TCPDUMP(1)
-i interface
--interface=interface
Listen on interface. If unspecified, tcpdump searches the system interface
list for the lowest numbered, configured up ...
- 2,121