Packet Capture, part 2

In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.

By O'Reilly Press | Posted Nov 13, 2001
Page 1 of 10
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Network Troubleshooting Tools
by Joseph D. Sloan

Packet Capture -- Part 2
Network Troubleshooting Tools - click to go to publisher's site

1.4. tcpdump

The tcpdump program was developed at the Lawrence Berkeley Laboratory at the University of California, Berkeley, by Van Jacobson, Craig Leres, and Steven McCanne. It was originally developed to analyze TCP/IP performance problems. A number of features have been added over time although some options may not be available with every implementation. The program has been ported to a wide variety of systems and comes preinstalled on many systems.

For a variety of reasons, tcpdump is an ideal tool to begin with. It is freely available, runs on many Unix platforms, and has even been ported to Microsoft Windows. Features of its syntax and its file format have been used or supported by a large number of subsequent programs. In particular, its capture software, libpcap, is frequently used by other capture programs. Even when proprietary programs with additional features exist, the universality of tcpdump makes it a compelling choice. If you work with a wide variety of platforms, being able to use the same program on all or most of the platforms can easily outweigh small advantages proprietary programs might have. This is particularly true if you use the programs on an irregular basis or don't otherwise have time to fully master them. It is better to know a single program well than several programs superficially. In such situations, special features of other programs will likely go unused.

Since tcpdump is text based, it is easy to run remotely using a Telnet connection. Its biggest disadvantage is a lack of analysis, but you can easily capture traffic, move it to your local machine, and analyze it with a tool like ethereal. Typically, I use tcpdump in text-only environments or on remote computers. I use ethereal in a Microsoft Windows or X Window environment and to analyze tcpdump files.

1.4.1. Using tcpdump

The simplest way to run tcpdump is interactively by simply typing the program's name. The output will appear on your screen. You can terminate the program by typing Ctrl-C. But unless you have an idle network, you are likely to be overwhelmed by the amount of traffic you capture. What you are interested in will likely scroll off your screen before you have a chance to read it.

Fortunately, there are better ways to run tcpdump. The first question is how you plan to use tcpdump. Issues include whether you also plan to use the host on which tcpdump is running to generate traffic in addition to capturing traffic, how much traffic you expect to capture, and how you will determine that the traffic you need has been captured.

There are several very simple, standard ways around the problem of being overwhelmed by data. The Unix commands tee and script are commonly used to allow a user to both view and record output from a Unix session. (Both tee and script are described in .) For example, script could be started, tcpdump run, and script stopped to leave a file that could be examined later.

The tee command is slightly more complicated since tcpdump must be placed in line mode to display output with tee. This is done with the -l option. The syntax for capturing a file with tee is:

bsd1# tcpdump -l  | tee outfile

Of course, additional arguments would probably be used.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter