Tcpdump
Contents
About
From the tcpdump man page:
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.
The information provided on this page only covers a small portion of the things you can do with tcpdump and it is recommended that you read more about it via the man page or otherwise.
Required Client Software
Linux/Unix/macOS
OpenSSH is typically available as a package with most unix and linux variants, which includes macOS. You can determine whether or not tcpdump is installed by opening a terminal and running the following command:
$ tcpdump --version
If it is not installed, please consult your distribution's package manager for instructions.
Using tcpdump
More here soon!
Cookbook
Here are some useful ways to use tcpdump.
Monitoring Remote Traffic over SSH with Wireshark
You can use tcpdump to forward packets over SSH to a local wireshark instance for monitoring.
Lets say we want to connect to example.host and monitor eth0 using wireshark on our local system. To do that, we would run:
$ ssh root@example.host tcpdump -i eth0 -w - not tcp port 22 | wireshark -i -
Note the not tcp port 22 line. This is to prevent chatter from the SSH connection piping packets. If you want to monitor port 22, you're going to have to include a more specific expression.
Capture CDP
The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.
This information is extremely useful, for example, to determine which device and port number a system is connected to.
To capture this information on eth0, we would use the following command:
$ tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
This will listen on the interface until a CDP packet is returned. It will display the packet data and exit.
Credit goes to Steve Kehlet for this.
