download

For example, the following command tells tcpdump to take one STP packet off thewire (on bge1 interface) and completely decode it:# tcpdump -i bge1 -c1 -n -s0 -vvvv stpChapter 7tcpdump: listening on bge1, link-type EN10MB (Ethernet), capture size65535 bytes23:10:07.513554 STP 802.1d, Config, Flags [none], bridge-id8034.00:0e:83:ba:78:00.8026, length 43message-age 0.00s, max-age 20.00s, hello-time 2.00s,forwarding-delay 15.00sroot-id 8034.00:0e:83:ba:78:00, root-pathcost 01 packets captured3 packets received by filter0 packets dropped by kernelAs mentioned earlier, tcpdump can be used to capture traffic to a file in thepcap format.Pcap is a standard packet capture API that is used by many applicationsto capture packets from network interfaces. In fact, tcpdump useslibpcap as its packet capture facilities. Pcap is supported by variousopen-source and commercial packet analysis applications. Hence, theoutput of tcpdump can also be analysed by many different graphicalpacket analyzers such as the open-source Wireshark (http://www.wireshark.org) or commercial applications such as WildPacket'sOmniPeek (http://www.wildpackets.com).Since it is not always possible to analyse traffic in a real-time manner, especiallywhen a high amount of traffic is passing through the interface, you may want to savethe captured packets and analyse them with different criteria sometime later. It ispossible to capture traffic based on the expression defined in the command line andsave it to a pcap file for further analysis. Here is an example of such a setup:# tcpdump -c 1000 -w sample1.pcap -s0 -i bge1tcpdump: listening on bge1, link-type EN10MB (Ethernet), capture size65535 bytes1000 packets captured1025 packets received by filter0 packets dropped by kernel[ 129 ]