Home » Linux, OS Concepts and Networking » Linux Networking » Capture and analyze network packets using tcpdump and tshark

Capture and analyze network packets using tcpdump and tshark

We can use tcpdump to capture the packets whereas tshark to analyse the packets.

$ tcpdump --help
tcpdump version 4.9.2
libpcap version 1.7.4
OpenSSL 1.0.2g  1 Mar 2016
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

Using above help, lets capture the packets and try to write it to a file name captured_packets.pcap as,

 $ sudo tcpdump -i wlan0 -w captured_packets.pcap 

Lets do some network operations, like browse website etc, for testing ( you could already be getting packaets flowing in network even if you didn’t do anything purposefully )

Press Ctrl+C to stop packaet capturing, if you are done with capturing. Lets check the captured file as,

$ sudo tcpdump -i wlan0 -w captured_packets.pcap
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C371 packets captured
371 packets received by filter
0 packets dropped by kernel

So, it shown that we captured 371 packets, Lets check the captured file as,

$ ls -l captured_packets.pcap 
-rw-r--r-- 1 root root 91365 May  1 00:06 captured_packets.pcap

Now, lets try to decode / analyse those captured packets, for that we will use tshark which is wireshark’s command line version.

 $ sudo apt install tshark 
 $ tshark -r captured_packets.pcap -V 

We can redirect the analysed output to a file as,

 $ tshark -r captured_packets.pcap -V > Analysed_text_file.txt 

Check help as,

$ tshark –help
TShark (Wireshark) 2.2.6 (Git Rev Unknown from unknown)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] …

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: 65535)
-p don’t capture in promiscuous mode
-I capture in monitor mode, if available
-B size of kernel buffer (def: 2MB)
-y link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a … duration:NUM – stop after NUM seconds
filesize:NUM – stop this file after NUM KB
files:NUM – stop after NUM files
Capture output:
-b … duration:NUM – switch to next file after NUM secs
filesize:NUM – switch to next file after NUM KB
files:NUM – ringbuffer: replace after NUM files
Input file:
-r set the filename to read from (- to read from stdin)

Processing:
-2 perform a two-pass analysis
-R packet Read filter in Wireshark display filter syntax
-Y packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): “mnNtCd”
-d ==, …
“Decode As”, see the man page for details
Example: tcp.port==8888,http
-H read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
–disable-protocol disable dissection of proto_name
–enable-heuristic
enable dissection of heuristic protocol
–disable-heuristic
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcap-format file named “outfile”
(or to the standard output for “-“)
-C start with specified configuration profile
-F set the output file type, default is pcapng
an empty “-F” option will list the file types
-V add output of packet tree (Packet Details)
-O Only show packet details of these protocols, comma
separated
-P print packet summary even when writing to a file
-S the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|ek|text|fields
format of text output (def: text)
-j protocols layers filter if -T ek|pdml|json selected,
(e.g. “http tcp ip”,
-e field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E= set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s| select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s| select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X : eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z various statistics, see the man page for details
–capture-comment
add a capture comment to the newly created
output file (only for pcapng)
</outfile|->

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o : … override preference setting
-K keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report=”fields”
use “-G ?” for more help

WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing “echo 0 > /proc/sys/net/core/bpf_jit_enable”


Subscribe our Rurban Life YouTube Channel.. "Rural Life, Urban LifeStyle"

Leave a Comment