All Questions
Tagged with packet-capture tcpdump
58 questions
1
vote
0
answers
142
views
tcpdump is not available when extracting packet features in windows
I have been trying to extract statistical features from a packet(pcap) using pyflowmeter but I keep on getting traceback error that :'scapy.error.Scapy_Exception: tcpdump is not available', I know ...
- 11
1
vote
1
answer
503
views
Filtering for Quic Client Hello packets with tcpdump
I am able to filter for Client Hello messages for TLS on TCP with the following:
(tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2) + 5] = 0x01)
https://...
- 83
2
votes
0
answers
426
views
Why can't we make tcpdump to not stop/exit when an interface on which it is capturing is brought down?
If tcpdump is started with -i <specific_interace_name> exits if that is brought down.
However, if it is started with "-i any" option, it doesn't stop if wlanX/ethX interfaces are ...
- 147
0
votes
2
answers
898
views
capture network traffic and send to a remote machine
I am trying to capture network traffic with tcpdump from a machine in the network and send each packet over the network to another device. I cannot save the packets captured by tcpdump in a file, ...
- 805
-2
votes
1
answer
275
views
tcpdump difference between ip host hostname | ip and host hostname
In tcpdump, which is the difference between the following two commands? I tried to understand but they seems pretty much the same to me.
tcpdump ip host google.com
and
tcpdump ip and host google.com
- 1,065
1
vote
2
answers
1k
views
Azure Functions Collect Network Trace for a Linux app
TL;DR: What can I do to capture packets when the "Collect Network Trace" facility is not available?
I have an Azure Function App running on a linux app service plan, which is seeing some ...
- 1,254
1
vote
1
answer
459
views
read data from PCAP and print details when conditions met
I have assignment to Read packets from a file and output the details of those packets having.
Do not fragment(DF) flag set for IP header and SYN and ACK flags
set (together) for TCP header (all the ...
0
votes
1
answer
2k
views
Apply a filter which reads all traffic apart from DNS and TCP using tcpdump
I tried these commands:
1.tcpdump -r bpf-pcap.pcapng -w op2.txt proto not dns and not tcp
2.tcpdump -r bpf-pcap.pcapng -w op2.txt proto not dns and tcp
None of these are correct. I also checked the ...
2
votes
1
answer
873
views
Packets getting dropped with Libpcap in C on 1 Gig Traffic
I'm writing a packets parser in C using libpcap library. Here is the simple code
int main(int argc, char *argv[])
{
pcap_t *pcap;
const unsigned char *packet;
char errbuf[PCAP_ERRBUF_SIZE]...
- 783
0
votes
1
answer
1k
views
FreeBSD - tcpdump - filtration of certain udp port [closed]
I'm using freebsd 10.4
what argument i can use in tcpdump to match only certain UDP port?
is it -i parameter ?
this is what i already reviewed https://www.freebsd.org/cgi/man.cgi?tcpdump(1)#end
- 13
1
vote
0
answers
1k
views
Why does tcpdump on the loopback interface only capture half the packets received by the filter?
I am trying to understand why when using tcpdump on the loopback interface, only half of the packets received by the filter are captured.
But when I run the exact same traffic and do tcpdump on the ...
- 244
0
votes
0
answers
436
views
Tcpdump dynamic filter based on length
I'm trying to capture all DHCP Discover packets that don't end with ff that should be the last byte of a correct BOOTP request.
I can filter all DHCP Discover by using the correct offset ether[284:1] ...
- 1
1
vote
1
answer
9k
views
how to read packet from .pcap file without using any software
I captured packet using tcpdump -i {interface } -w file.pcap command and I want to read the packet in a human-readable language. how to do it?
How to read .pcap file just using shell script. Or ...
- 11
2
votes
0
answers
774
views
Tcpdump ctrl-c sigint in android terminal emulator is not working
I run tcpdump on my android phone using "Terminal Emulator app".
My phone is rooted.
I run tcpdump to sniff my wlan0 interface by #tcpdump -i wlan0
I have problem with how to end the tcpdump ...
- 46
0
votes
0
answers
1k
views
tcpdump capture stops after 10 minutes
I'm trying to capture all my networking with tcpdump.
I'm using tcpdump -i {} -W 5 -C 10 -w capfile. After 10 mints (+-) the capture stopped for some reason, and tcpdump is still running.
Maybe ...
0
votes
1
answer
596
views
tcpdump: server client communication
I'm capturing the communication between a server and a client with tcpdump -X. I noticed a pattern and I'm not sure I fully understand it. In the following I have replaced all the header data (IP and ...
- 1,127
1
vote
1
answer
435
views
How to filter tcpdump result by keeping socket recv() data only?
As is known, the result of a tcp packet capture consists of packets that may be retransmission, out of order and so on, which will be filtered and rearranged by the network stack, and the application ...
- 449
0
votes
1
answer
553
views
How do determine the type of data exchanged between client and server from tcpdump output
I have been working on a server Projekt and sniffing package exchange between Client and the server with tcpdump. I am having a little problem figuring out/ interpreting the output of the tcpdump. I ...
- 1,893
0
votes
1
answer
596
views
Trying to understand packets captured with tcpdump
So I have intercepted a packet being sent from my android device to an apps server. I want to understand what my phone is sending to the server.
I have rooted the phone, and install tcpdump on it. I ...
- 537
0
votes
1
answer
2k
views
Tcpdump - counting outgoing and incoming ump packets
Is it possible with tcpdump to count (for some set up time) the number of outgoing and incoming UDP packets?
I don't have much experience in tcpdump, so an advice how to do that would be very ...
- 3,481
6
votes
1
answer
13k
views
What's the meaning of "ecr" option in tcpdump?
19:25:47.629351 IP 2.2.2.2.80 > 1.1.1.1.31889: Flags [.], seq 2372487272:2372492544, ack 2808407165, win 122, options [nop,nop,TS val 911640439 ecr 235835291], length 5272
19:25:47.631626 IP 1.1.1....
- 3,311
1
vote
2
answers
2k
views
Error merging pcap dump files from tcpdump
I have a number of capture files that I am trying to merge. The merge files are from linux servers (both Ubuntu and Centos), a Macbook Pro and from a Windows machine. They all play nice with the ...
- 53
0
votes
1
answer
724
views
Does tcpdump supports 10 G data packets to capture?
I want 10G supported sniffer to capture packets.I searched many but i found that the common analyser wireshark doesnot support 10G packets.How to i sniff 10G packets .Is there any tool to sniff 10g ...
- 51
1
vote
1
answer
533
views
tcpdump merge possibility with dpi library
Does tcpdump can able to merge with any dpi library for deep paket flow analysis.
For example: I need skype protocol flow details and header details.
- 51
1
vote
1
answer
1k
views
How to extract domain name from this DNS message?
Example code to sniff packet is http://opensourceforu.efytimes.com/2011/02/capturing-packets-c-program-libpcap using another_callback function(),when type :
[root@localhost tcpsnip]# ./sniffer udp
...
- 11
-1
votes
1
answer
3k
views
How to get tcpdump to include layer 3 and 4 for packet size?
I use the command below to get inter arrival time of packets and length of packets:
tcpdump -r example.pcap -n -ttt > result.txt
The result is something like this:
00:00:00.000545 IP src-ip....
- 11
1
vote
1
answer
947
views
Android Shark (tcpdump) creates invalid pcap
I am for some purposes running Shark, a tcpdump tool for Android. I run this on two android devices, grab the capture files and then intend to run some stats on it. One tablet, and one phone.
They run ...
- 818
0
votes
1
answer
1k
views
Libpcap filter strings using "vlan" are behaving weirdly
I am getting some weird errors when using libpcap pcap_compile
Please let me know if these are known issues or I am making some bpf formating/ordering mistakes
For example:
1)
if I pass (...
user3851499
1
vote
1
answer
84
views
filter packet data based on the type of content they carry
I want to filter the packet data based on the type of data they carry. I mean is it possible to recognize whether the packet carries text/audio/video/other type of information by analyzing the packet ...
- 13
1
vote
1
answer
236
views
Is there a way to find out the timestamp of a packet when it left the source server?
I am running a tcpdump on my server and capturing the data . I don't have access to the source server .
I can find the timestamp of the packet when it hits the NIC of the server where i am running ...
- 11
0
votes
2
answers
4k
views
Network sniffer in Python [closed]
I'm trying to find a good and stable network packet sniffer in python, that allows me to do exactly the as I used to with tcpdump.
I found this pycap but it does not seem to be that stable... Another ...
- 2,015
5
votes
1
answer
6k
views
Save raw binary payload only using tcpdump
How can I capture traffic with tcpdump and only save the full payload (application layer data, no tcp/ip headers) in a raw binary format?
- 597
0
votes
1
answer
954
views
netem and tcpdump loopback interface differing ingress and egress
I have two communicating applications on the same machine:
app1----->loopback------>app2
I applied some delay (100ms) to loopback interface using netem (tc command) on a ubuntu machine (mint to be ...
- 83
1
vote
2
answers
3k
views
TCPDUMP incoming traffic capturing
I am using TCPDUMP-arm because I'd like to capture TCP packets arriving on my tablet. The problem is that I want to get rid of the results about the outgoing packets.
When I execute:
./tcpdump-arm ...
- 89
1
vote
1
answer
357
views
Is there a way to limit number of packet captures with tcpflow?
I want to limit the number of captured packets, such as
tcpdump -c 20
but using tcpflow instead. is this possible? console throws a syntax error using -c with tcpflow
any help appreciated
- 11
31
votes
1
answer
61k
views
Capture LLDP packets using tcpdump
What is the format to capture LLDP packets on an interface using tcpdump?
I tried the following format but it dint work:
tcpdump -w test.pcap -i eth0 lldp -vv
- 437
0
votes
1
answer
648
views
ping with tcpflow and tcpdump
When I use tcpflow icmp and ping I have no answer, but when I use tcpdump icmp aand ping I'm getting answer. Is something wrong with my tcpflow configuration or it should be like that?
- 1,554
1
vote
1
answer
1k
views
how to dynamically modify the filter in tcpdump
I am modifying tcpdump to dynamically change the filter that it uses to get the output from.
currently the tcpdump uses the pcap_set_filter to actually prepare the filter for the incoming packets or ...
- 449
1
vote
1
answer
1k
views
tcpdump slowed down by... its own filter?
Do long BPF filters slow down tcpdump?
I replay a packet trace where all the packets have ttl=k and wait for ICMP messages back. What I've been noticing is that if I use the following filter (on eth0)...
- 22.8k
4
votes
1
answer
513
views
localhost icmp packet found in capture file: why?
Here's my tcpdump filter (ip[8] is the IP ttl field and icmp[0]=11 corresponds to time-exceeded ICMP messages):
(ip and ip[8]=2 and src host $myIPAddress) or (icmp and dst host $myIPAddress and icmp[...
- 22.8k
1
vote
1
answer
4k
views
two instances of tcpdump at the same time?
Are there any known problems in running two instances of tcpdump at the same time on the same network interface (with non-conflicting filters)?
I'm experiencing some weird timestamping and I thought ...
- 22.8k
7
votes
4
answers
5k
views
Finding the direction of packets while sniffing
I want to have a list of source IP addresses of an interface outbound traffic. How could I find the direction of a packet whether it's inbound or outbound reading traffic using libpcap? I don't know ...
- 406
20
votes
1
answer
75k
views
How to filter MAC addresses using tcpdump?
I am running tcpdump on DD-WRT routers in order to capture uplink data from mobile phones. I would like to listen only to some mac addresses. To do this I tried to run the command using a syntax ...
- 405
8
votes
1
answer
33k
views
how wireshark marks some packets as "tcp segment of a reassembled pdu" [closed]
I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not ...
- 3,637
7
votes
1
answer
8k
views
how to edit wireshark pcap to change the order of packets [closed]
i have a pcap file captured using wireshark. suppose the pcap has 6 packets numbered from 1 to 6 as shown below. now i want to edit this pcap file so that i get the packets in some different order. ...
- 3,637
8
votes
1
answer
20k
views
frame contains "\x03\x00\x0e\xa8" display filter in wireshark displays packets not containing these bytes
i used the following filter in wireshark to find the packets containing these bytes :
frame contains "\x03\x00\x0e\xa8"
but when i see the result of this filter, it displays more than 1k packets ...
- 3,637
0
votes
1
answer
1k
views
tcpdump implementation/adaptation
I want to make an iPad app that
analyze the data traffic using: "tcpdump"
The app should be somehow a implementation/adaptation/wrapper
the/for the "tcpdump" command.
I zapped through the http://...
42
votes
3
answers
107k
views
Capture incoming traffic in tcpdump
In tcpdump, how can I capture all incoming IP traffic destined to my machine? I don't care about my local traffic.
Should I just say:
tcpdump ip dst $MyIpAddress and not src net $myIpAddress/$...
- 22.8k
0
votes
1
answer
4k
views
How does one filter pcap (e.g. tcpdump) files by content regex match?
I have some large pcap (packet capture) files collected with tcpdump. I would like to filter out packets that contain a specific string. I want my output to still be in pcap format. I've found ...
- 10k
1
vote
1
answer
2k
views
Capturing HTTP packet body through tcpdump
I am trying to monitor the network activity of a specific application on an Android device. In the application that I am attempting to monitor, I am communicating with an HTTP server that is running ...
- 135