You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Resulting in:<br />
23:29:04.050167 spider.3224 > 66-28-147-032.servercentral.net.6020: . ack 36517 win 16044<br />
23:29:04.059645 66-28-147-032.servercentral.net.6020 > spider.3224: P 36517:37969(1452) ack<br />
23:29:04.092955 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-query<br />
23:29:04.093587 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-query<br />
23:29:04.093836 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios<br />
23:29:04.095028 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios<br />
23:29:04.097645 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-regis<br />
23:29:04.098410 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios<br />
23:29:04.143267 66-28-147-032.servercentral.net.6020 > spider.3224: P 37969:39421(1452) ack<br />
23:29:04.145122 spider.3224 > 66-28-147-032.servercentral.net.6020: . ack 39421 win 13140<br />
This is a sample of traffic on my network. From this we discover some of<br />
tcpdump's default behaviour. For instance, it attempts to resolve fully qualified<br />
domain names. It also displays a timestamp in a different format from what we<br />
saw in our first sample packet. And most importantly, it does not look past the<br />
headers (hex is nowhere to be seen).<br />
Often, we want to take a sample of traffic and save it somewhere. We accomplish<br />
this in standard Unix fashion:<br />
# tcpdump > textfile<br />
Proceed like this if you want to view the capture as it is being saved:<br />
# tcpdump -l | tee textfile<br />
That's fine but we will now really begin our study of tcpdump. We will do this by<br />
acquainting ourselves with the concept of tracefiles (or dumpfiles). Tracefiles are<br />
binary versions of the traffic samples. They require less processing power (and<br />
space) as no parsing is required to give us legible text files (so, yes, tracefiles are<br />
always created by tcpdump, whether internally or externally). The data is raw<br />
(and quite unintelligible by humans). Here is how to save a tracefile:<br />
# tcpdump -w tracefile &<br />
Presumably we will one day want to use that tracefile so here we go:<br />
# tcpdump -r tracefile<br />
This will produce legible output as if we ran tcpdump with no switches at all. So<br />
remember, the "w" and "r" switches are useless by themselves; each implies the<br />
other.<br />
intermediate usage<br />
Let us proceed to the next level by taming tcpdump; so far he's been quite wild.<br />
There are 4 approaches at our disposal. They involve telling tcpdump:<br />
1. how to behave (program control)<br />
2. what packet information to show