Wednesday, January 24, 2007

tcpdump

tcpdump is a great utility to find out what is going on with one of your network interfaces.
You can either run it and dump the output straight to the screen, for basic monitoring. Or, you can run it and dump into a file, and then open it with applications like Ethereal.

To dump to screen, you can just run:
#tcpdump -i eth0
(use -n to prevent dns lookup)

To dump to a file, not resolve DNS and capture more than 96 bytes:
#tcpdump -i eth0 -w mycapture.cap -s 2048 -n

The "-s" flag is important if you are trying to track application protocols such as HTTP, and you want to see the full request and response. The default is 96, which is pretty much headers. So more often than not, you'd want to increase the size.

ctrl+c to end the capture.
I find that the best tool to then analyze the capture is ethereal.

Happy capturing.