Applies To:

Show Versions Show Versions

sol411: Overview of packet tracing with the tcpdump utility
OverviewOverview

Original Publication Date: 05/16/2007
Updated Date: 07/16/2014

 

Running the tcpdump utility
    Selecting an Interface or VLAN
    Disabling name resolution
Saving tcpdump output to a file
    Binary file
    Text file
Reading tcpdump binary file output
Filters
    Filtering on a host address
    Filtering on a port
    Filtering on a tcp flag
    Combining filters with the and operator
Capturing packet data
Suppressing hostname and port resolution
Combining tcpdump options
Advanced tcpdump topics
Supplemental information

The tcpdump utility is a command line packet sniffer with many features and options. For a full description, refer to the tcpdump man pages by typing the following command:

man tcpdump

Running the tcpdump utility

Following are examples of commands used to run the tcpdump utility:

Selecting an Interface or VLAN

The tcpdump utility is able to sniff for packets on only one interface or VLAN. By default, it selects the lowest numbered interface.

To select an interface, use the -i flag, as follows:

tcpdump -i <interface>

For example:

To tcpdump a specific interface:

tcpdump -i 2.1

tcpdump -i 1.10

To tcpdump a specific vlan:

tcpdump -i internal

tcpdump -i external

To tcpdump the management interface:

tcpdump -i eth0

Note:  Do not attempt to run tcpdump on an interface that contains a colon.

For example: 

eth0:mgmt

Disabling name resolution

By default, tcpdump attempts to look up IP addresses and use names, rather than numbers, in the output. The BIG-IP system must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing.

To disable name resolution, use the -n flag as in the following examples:

tcpdump -n

tcpdump -ni internal

Saving tcpdump output to a file

You can save the tcpdump data to one of the following file formats:

  • A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility as well as many other traffic analysis packages.
  • A text file that contains a subset of the full tcpdump data, but is readable only as plain text.

When working with F5 Technical Support, you must provide the tcpdump output in the binary file format.

Binary file

To save the tcpdump output to a binary file, type the following command:

tcpdump -w <filename>

For example:

tcpdump -w dump1.bin

Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.

Text file

To save the tcpdump output to a text file, type the following command:

tcpdump ><filename>

For example:

tcpdump >dump1.txt 

Reading tcpdump binary file output

To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:

tcpdump -r <filename>

For example:

tcpdump -r dump1.bin

In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if it were reading from the network interface. As a result, you can use formatting commands and filters.

Beginning in BIG-IP 11.2.0-HF3, 11.2.1-HF3, and 11.3.0, a pseudo header which includes the following parameters is added to the start of each binary tcpdump capture:

  • The tcpdump command syntax used, including all options
  • Version of software
  • Hostname of the system
  • Platform ID
  • Product

Filters

The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses, ports, and tcp flags.

Filtering on a host address

  • To view all packets that are traveling to or from a specific IP address, type the following command:

    tcpdump host <IP address>

    For example:

    tcpdump host 10.90.100.1

  • To view all packets that are traveling from a specific IP address, type the following command:

    tcpdump src host <IP address>

    For example:

    tcpdump src host 10.90.100.1

  • To view all packets that are traveling to a particular IP address, type the following command:

    tcpdump dst host <IP address>

    For example:

    tcpdump dst host 10.90.100.1

Filtering on a port

  • To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:

    tcpdump port <port number>

    For example:

    tcpdump port 80

  • To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:

    tcpdump src port<port number>

    For example:

    tcpdump src port 80

  • To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:

    tcpdump dst port <port number>

    For example:

    tcpdump dst port 80

Filtering on a tcp flag

  • To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the following command:

    tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'

  • To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command:

    tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

Combining filters with the 'and' operator

You can use the and operator to filter for a mixture of output.

Following are some examples of useful combinations:

tcpdump host 10.90.100.1 and port 80

tcpdump src host 172.16.101.20 and dst port 80

tcpdump src host 172.16.101.20 and dst host 10.90.100.1

Capturing packet data

The tcpdump utility provides an option that allows you to specify the amount of each packet to capture.

You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero).

For example:

tcpdump -s0 src host 172.16.101.20 and dst port 80

Alternatively, you can specify a length large enough to capture the packet data you need to examine.

For example:

tcpdump -s200 src host 172.16.101.20 and dst port 80

If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with the default HEX encoded output.

For example:

tcpdump -r dump1.bin -X src host 172.16.101.20 and dst port 80

Suppressing hostname and port resolution

The tcpdump utility provides an option that allows you to specify whether IP addresses and service ports are translated to their corresponding hostnames and service names.

Since performing multiple name lookups during a packet capture may be resource intensive, you should disable name resolution while capturing on a busy system using the -n option.

For example:

tcpdump -n src host 172.16.101.20 and dst port 80

Service port lookups incur less overhead than DNS-based name resolutions, but still are usually unnecessary while performing a capture. You can disable both name and service port resolution while performing a capture, by using the -nn option.

For example:

tcpdump -nn src host 172.16.101.20 and dst port 80

Combining tcpdump options

This article contains the most essential tcpdump options. You will generally need to use most of the options in combination.

Following are examples of how to combine the tcpdump options to provide the most meaningful output:

tcpdump -ni internal -w dump1.bin

tcpdump -ni internal -r dump1.bin host 10.90.100.1

tcpdump -ni 2.1 host 10.90.100.1 and port 80

tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt

tcpdump -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162

Advanced tcpdump topics

The following articles cover advanced tcpdump topics:

Supplemental information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)