tcpdump – How to See Packets While Capturing with tcpdump

pcaptcpdump

How can I see traffic while I am capturing it with tcpdump.

When I use -w, it doesn't show the packets during the capture.

sudo tcpdump -i enp2s0 -w test.pcap
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6 packets captured
7 packets received by filter
0 packets dropped by kernel

Best Answer

So after a bit of experiment, the anwser if the following :

sudo tcpdump -i enp2s0 -U -w - | tee test.pcap | tcpdump -r -

-w - : write to standard output.

-U : write packets as soon as they arrive. Don't wait until the buffer is full.

Tee will write to the file, and tcpdump -r - read the packets from standard input.

Related Solutions

Tcpdump and dynamic dns update

Something like this seems to work for IPv4:

tcpdump 'udp[0xa] & 0x78 = 0x28'

Reasoning (offsets relative to the start of the UDP packet - probably easiest to follow along with Wireshark open):

bytes 0-7 = UDP header
bytes 8-9 = DNS transaction ID
byte 10 (0xa) = start of DNS flags

The DNS opcode is bits 3-6 (hence the mask 01111000 = 0x78) of byte 10, and for updates we want DNS opcode 5; 5 << 3 = 40 = 0x28.

Tcpdump – how to check rate of packets

capinfos is what you are looking for:

$ capinfos ddos.cap
File name:           ddos.cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   1000000
File size:           189073212 bytes
Data size:           173073188 bytes
Capture duration:    2 seconds
Start time:          Fri Jul  5 16:35:04 2013
End time:            Fri Jul  5 16:35:07 2013
Data byte rate:      69839025.27 bytes/sec
Data bit rate:       558712202.18 bits/sec
Average packet size: 173.07 bytes
Average packet rate: 403523.08 packets/sec
SHA1:                34d758e6445061855ca4397729098f469f411fe3
RIPEMD160:           14f430231fc2962cd86ddb8edb8daf75a5d07af8
MD5:                 5893809fb02d1a20997629a9a501842b
Strict time order:   False

Pay attention to the Data bit rate.

What might help here is if someone could edit the original script above instead of capturing 2000 packets and dropping the rest, to capture all packets for a duration of lets say 5 seconds when the threshold hits.

How about this:

tcpdump -n -s0 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap &
sleep 5 && pkill -HUP -f /usr/sbin/tcpdump

Best Answer

Related Solutions

Tcpdump and dynamic dns update

Tcpdump – how to check rate of packets

Related Topic