This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
tcpdump
tcpdump is a command-line network monitoring and data acquisition tool. It is capable of sniffing packets and "dumping" information.
Installation
USE flags
USE flags for net-analyzer/tcpdump A tool for network monitoring and data acquisition
drop-root
|
Drop privileges to pcap:pcap when run as root |
samba
|
Add support for SAMBA (Windows File and Printer sharing) |
smi
|
Build with net-libs/libsmi to load MIBs on the fly to decode SNMP packets |
ssl
|
Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) |
suid
|
Enable setuid root program(s) |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
verify-sig
|
Verify upstream signatures on distfiles |
Emerge
Install tcpdump:
root #emerge --ask net-analyzer/tcpdumpConfiguration
SUID
In order for normal users to run tcpdump the program should be built with the suid flag enabled and the user(s) should be added to the tcpdump group.
root #USE="suid" emerge -a --changed-use tcpdumpDo this by using the usermod command where <username> is user's username:
root #usermod -a -G tcpdump <username>Usage
Invocation
The root user can invoke tcpdump at any time:
root #tcpdump -hUsage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]
When tcpdump has been set with SUID permissions normal users can invoke it, however since the /usr/sbin directory is not included in a normal user's path, the full path must be specified:
user $/usr/sbin/tcpdumpListing interfaces
To discover the interfaces available to tcpdump issue the following command:
user $/usr/sbin/tcpdump --list-interfacesSpecifying an interface
After an output of available interfaces has been displayed it is possible to select a specific interface upon which to listen:
user $/usr/sbin/tcpdump -i <interface_name>Where <interface_name> is either the number of the interface or the string version of the name.
Write output to a file
Running tcpdump with the -w instructs the program to write output to a file. This is helpful to future analysis:
user $/usr/sbin/tcpdump -w /tmp/outputRead input from a file
user $/usr/sbin/tcpdump -r /tmp/outputSee also
- Metasploit — provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
- nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports
- Wireshark — a free and open-source packet analyzer.
External resources
- http://www.tcpdump.org/manpages/pcap.3pcap.html - The tcpdump man page hosted on the web.