Questions tagged [tcpdump]
commandline packet analyzer
204 questions
0
votes
0
answers
36
views
tcpdump/wireshark show no packets in monitor mode
I'm currently trying to do some tests with the monitor mode, so I set my machine:
$ sudo systemctl stop NetworkManager
$ sudo systemctl disable NetworkManager
$ sudo systemctl stop avahi-daemon # ...
- 1
0
votes
1
answer
31
views
The tcpdump creates multiple files randomly and starts modifying all
I am troubleshooting an issue where external system reported a delay in response from my side. Therefore, I applied a cronjob for tcpdump that I start when the communication with external system ...
1
vote
0
answers
82
views
How to monitor internet traffic from/to an Android device using a (desktop) Linux
I want to monitor internet traffic from/to an Android device that's connected to the same router as my linux computer. The Android device communicates with a web server. I tried using tcdump and ...
- 11
0
votes
0
answers
37
views
Why can I see many traffic forwarding on my machine
I'm working in a LAN, which is a cloud product. I have many Linux machines in this LAN. I deployed my whole web-service backend in this LAN.
Today, I executed tcpdump -i eth0 -nne -p on a machine, ...
- 265
0
votes
0
answers
43
views
Why does netcat -v send extra X packets?
I'm using netcat 1.218 on Ubuntu 22.04 to generate test syslog packets, and I noticed an odd behavior I can't explain. When I use the -v flag, netcat sends 2 additional packets containing the letter ...
- 1,295
0
votes
1
answer
427
views
Configure Virtualbox to capture network traffic between 2 VMs on the same host from another physical machine
My context is:
A physical machine with windows 10 (PC_Physcial_01) that host 2
virtualbox linux VMs PC_VM_01 & PC_VM_02)
An other physical machine dedicated to sniff network traffic
(...
- 1
0
votes
0
answers
132
views
Saving the captured traffic of tcpdump after 24 hours
I'm currently setting up multiple Linux Servers in order to build a honeypot infrastructure. I want to capture the incoming and outgoing traffic with tcpdump too. Is it possible to save the captured ...
- 101
1
vote
0
answers
264
views
Capture network traffic from physical devices in a Linux VM
I have a Linux VM hosted in a physical Windows PC in Hyper-V. The VM is using an external switch. There are a few more physical devices in the network. When I run tcpdump inside the VM, I can only see ...
- 111
0
votes
0
answers
30
views
File service latency is high, How to troubleshoot?
This service is a file upload service and the request packet capture in the live network is as follows:
The data uploaded by the client is halfway through, and then it will not be sent
The server ...
- 1
0
votes
2
answers
336
views
Cannot gather Google PING data with tcpdump command
I am baffled at this point following a Linux course on Udemy.
The command I am using in CentOS7 is:
tcpdump -i enp0s3 | grep 216.25.212.58
216.25.212.58 is the IP that is shown when I use the command:...
- 1
0
votes
1
answer
381
views
tcpdump shows traffic even for down interface
Using Debian Buster and having configured VLAN interface online, I wonder that tcpdump shows any traffic send to the external IP address?
Having a server on Hetzner and want to configure VLAN traffic ...
- 263
10
votes
2
answers
6k
views
How many TCP retransmissions Internet traffic is considered normal for a basic home setup?
Out of curiosity, I connected my laptop with an ethernet cable to the router and fired up Wireshark to understand and 'visualize' what's going on.
Some packets caught my attention.
I was having some ...
- 101
2
votes
1
answer
644
views
tcpdump to capture time, URL and post data
I need to capture both the post data and the time the request was made. I want to use it to replay requests on the lab server.
When I run the following command:
tcpdump -i any -s 0 -A '(tcp dst port ...
- 164
3
votes
1
answer
306
views
What Does “BBS” in TCPDump Output Mean?
I've recently implemented stricter firewall rules, and I keep seeing the Apple devices on my local network attempt to reach out to 192.168.1.156 or 192.168.1.152. In an attempt to understand what it's ...
- 71
1
vote
1
answer
1k
views
How to use ciscodump?
In wireshark, there is this option called Cisco remote capture: ciscodump, which, from my understanding, should enable to do a tcpdump on a cisco router (for example) via SSH and get back the results ...
- 11
0
votes
1
answer
1k
views
tcpdump captured packets not readable
I am new to tcpdump, when I use the following command to capture incoming http packet, I cannot recognize anything readable, such as HTTP, GET, etc. I need to check the header and content part. How to ...
- 25
1
vote
0
answers
54
views
Can anyone help me to understand this output from tcpdump?
I wrote a code in python that extracts data from the FTX exchange using their API.
I am running the code in an AWS instance (free plan), located very closeby to the servers of the exchange.
...
- 111
0
votes
0
answers
102
views
Determine/Configure which IP address gets offered next by a DHCP server?
I need a way to determine the next IP address a DHCP server will offer.
RFC 2131 states:
Each server may respond with a DHCPOFFER message that includes an available network address in the 'yiaddr' ...
- 13
0
votes
1
answer
673
views
Extract data from a pcap file
Is there any way to export the data section of all the packets from a pcap file?
For eg: the data section according to the image is ffffffff72636f6e203434207174
I tried searching a lot on web but ...
- 143
0
votes
1
answer
145
views
Nobody listens on port, yet something accepts connection on it
Here is some background information first, although it may not be relevant to the problem.
I am learning Kubernetes and I set up a cluster where pi-hole runs as a service. I can access the admin ...
- 11
1
vote
1
answer
3k
views
Extract Data from pcap file
Is there any way to extract this data (red box on below image) and save it in a text file in Linux command line? I tried searching on web but couldn't get anything related to my issue. I want to drop ...
- 143
1
vote
1
answer
862
views
tcpdump missing most packets when -w is used
When I use $ sudo tcpdump -i ens160 I can see a lot of noise in my VM. Like 150 packages in a few seconds. Mostly on port 64651. I don't know what that noise is so I am trying to figure it out.
So I ...
- 11
0
votes
1
answer
712
views
Cant capture packets on open wifi Network and only getting Wifi Beacons?
I set up an open WPA2 network and I'm trying to capture traffic on it, so I putted interface on monitor mode and first tried to capture using airodump using this command
sudo airodump-ng -o pcap --...
- 113
1
vote
1
answer
1k
views
tcpdump doesn't capture WiFi-to-WiFi traffic
I have configured a transparent bridge on a network that should capture all the traffic of its connected devices with tcpdump (see diagram 1).
The bridge is configured on a Debian 11 server and has an ...
- 13
2
votes
1
answer
694
views
Bash and SSH connection hangs after stopping tcpdump on ssh interface
My SSH connection hangs for ever if i stop tcpdump using ctl c or using linux timeout command. The tcpdump is being done on the ssh interface.
timeout 10 tcpdump -i eth0
In other words when using any ...
- 71
0
votes
0
answers
813
views
Capture of packets with tcpdump delayed for seconds until next invocation
I am maintaining a hardware test suite for a 40G network device, and many of our tests consist of sending handcrafted UDP packets from a test host via tcpreplay to our DUT and back to the test host, ...
- 101
0
votes
1
answer
2k
views
I am trying to run the tcpdump on remote machine using ssh using nohup
I am trying to run the tcpdump on remote machine using ssh using nohup.
[support@sv4-haswell107-bqkp91500107-node-1 ~]$ nohup sudo tcpdump -i lo port 2049 -s0 -w ./test.pcap >/dev/null& ...
- 35
0
votes
1
answer
1k
views
Ubuntu server wont respond to any requests (ssh, telnet, ping, etc)
I am relatively new to things like this so please bear with me.
OS info:
PC - Arch Linux (5.10.67-1-lts)
RPi - Ubuntu Server (20.04.3 LTS)
About a week ago I set up a small Samba NAS server on a ...
0
votes
1
answer
2k
views
How to replay tcpdump's recorded traffic (.pcap) into my proxy so I could inspect it?
I capture traffic on my local interface with tcpdump (in pcap/pcapng file) and I want to study it using apps like Charles/Fiddler, but then I have to direct it to its proxy somehow.
How can I replay ...
- 101
-1
votes
2
answers
206
views
What's wrong with this tcpdump syntax or will it produce different result?
tcpdump -nnvi any port 514 -l | grep -i 'urls,events,flows,ids-alerts'
Will it match ulrs events flows ids-alerts or will consider everything as one word ?
0
votes
0
answers
82
views
tcpdump boost upload speed
I have a server running Ubuntu where I installed Plex Media Server. The server has an Armhf processor and 2GB of RAM.
I am having issues with download speed. The server has 250Mbits link and the ...
- 185
1
vote
1
answer
505
views
Troubleshooting outbound internet traffic - Fedora Linux
Without any programs open except an empty terminal window and System Monitor, I'm seeing network traffic. Roughly every 1 second there's a small spike in outbound and a little inbound traffic. $ sudo ...
- 125
1
vote
0
answers
49
views
understand ss -to4 output for a jdbc connection
My application connects to a database over JDBC, and performs a lot of sequential inserts. There is only 1 JDBC connection opened by the application. As the performance is not as expected, I started ...
- 11
0
votes
0
answers
994
views
improve TCPDUMP performance while capturing big amount of traffic
so I'm sending to some machine of mine ~2gbps of small packets (around 3.8 million packets per sec).
the machine have a tcpdump process that writes to a file running continuously without any filters.
...
- 1
1
vote
1
answer
363
views
Ignore outbound conversations in Wireshark/tcpdump
I'm collecting pcap data on servers, and I'd like to only collect packets corresponding to inbound connections. Note that I am not looking to filter to inbound packets, but remove both outbound and ...
- 633
1
vote
1
answer
1k
views
How to set filter tcpdump by tcp.len
How can I set a filter with tcpdump to filter tcp.len !=0
in Wireshark . it's easy, but how can I set that filter in tcpdump ?
- 11
3
votes
1
answer
5k
views
Filter tcp packet payload length in tcpdump
The greater filter filters packets by their total length. Is it possible to filter by the payload's length? I know this is possible as a display filter, but I was wondering if it's possible to do this ...
- 143
2
votes
1
answer
3k
views
What does tcpdump: pcap_loop: truncated dump file; tried to read 1899 captured bytes, only got 1880 mean and how do I fix it?
I can't see any other question that asks the same thing as mine. I want to know what tcpdump: pcap_loop: truncated dump file; tried to read 1899 captured bytes, only got 1880 means. I received it when ...
- 331
6
votes
1
answer
14k
views
Capture only TCP SYN-ACK packets with tcpdump
I'm trying to capture only TCP SYN-ACK packets, i.e. with both SYN and ACK bits set with:
tcpdump -vvvni eth0 tcp[tcpflags] == tcp-syn and tcp[tcpflags] == tcp-ack
but it gives such error:
tcpdump: ...
- 254
1
vote
0
answers
1k
views
Start tcpdump with script on system start
I'm trying to run a script on startup that runs the tcpdump command on Centos 7 and Centos 6.
The aim is to start a rolling pcap when the system starts.
I've tried using a cron with @reboot, but it ...
- 11
4
votes
2
answers
17k
views
Capture packets on Asus router
I have Asus RT-AC87U router in my home network. I would like to analyse packets on specific ports like Wireshark does. Is it possible to build such system that could make traffic going trough router ...
- 2,723
0
votes
1
answer
1k
views
How can I display wireless client mac addresses with tcpdump?
If using tcpdump to monitor a wireless interface and listen on a specific channel for traffic associated with a BSSID, how can I display information (e.g. mac address) about any connected clients?
...
- 730
0
votes
0
answers
468
views
Packet Sniffing on wlan0 is saying 0 packets captured
I am trying to practice some packet sniffing on my virtual machine using tcpdump and writing it to a pcap file. I put wlan0 into monitor mode using these commands:
ifconfig wlan0 down
iwconfig wlan0 ...
0
votes
1
answer
601
views
What are these expressions' meanings? ip[2:2] ,ip[0], tcp[12], ip[16]
I am learning tcpdump recently, but I have some troubles now.
I have already search them in google and there is nothing can help me solve my problem. If you know the answer, please help me. Thank you ...
3
votes
1
answer
3k
views
tcpdump says "expression rejects all packets"
I want to create a filter which has 2 conditions:-
Filter packets with network. (src net 2a01:111:xxxx::/44)
Filter based on tcp handshake alert messages. (tcp[((tcp[12] & 0xf0) >> 2)] = ...
- 3,615
1
vote
1
answer
436
views
tcpdump: "packet exceeded snapshot"
I am using tcpdump to look into some pcap files, but in the output, I see the following error, instead of getting the header information:
packet exceeded snapshot
I googled it, but I couldn't find ...
- 121
0
votes
1
answer
2k
views
Why server doesn't stop sending packets when client sends TCP RST multiple times?
My device connects to the server which provides some video clips.
After connecting to the server, I check the wireshark and see there're multiple RST from client(port 40334) to server(80), but the ...
2
votes
0
answers
198
views
tcpdump doesn't capture DHCP Discovery
I tried to capture DHCP Discovery through the tcpdump:
# ip l | grep enp5s0
3: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
# tcpdump -ni ...
- 254
6
votes
1
answer
44k
views
What does TCP packet [P.] flag means in tcpdump's output?
If an IP x.x.x.x connects to IP z.z.z.z using [P.] Flag for TCP packet what exactly this [P.] flag means? Does it means that x.x.x.x sends some data to z.z.z.z?
- 307
1
vote
1
answer
2k
views
How to stream captured packets via UDP? tcpdump or other tool
I want to capture traffic or router and send it to remote host via tzcp or other udp proto.
How to stream captured packets via UDP? tcpdump or other tool
Use case:
Linux box connected to internet ...
- 389