Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using tcpdump to Capture Packets

    The IDP OS includes a Linux version of the commonly used tcpdump utility. On IDP Series devices, the tcpdump utility can capture only received packets (Rx packets). If you need to capture transmitted packets (Tx packets), use the jnetTcpdump utility.

    To display a reference of tcpdump options and Berkeley Packet Filter (BFT) primitive expressions, enter man tcpdump.

    The following example shows the syntax for capturing SMTP traffic on port 25. Here, tcpdump starts listening on the eth1 interface for traffic matching the expression tcp port 25.

    [root@localhost ~]# tcpdump -i eth1 -s 0 -w /tmp/smtp.pcap tcp port 25

    The following example shows the syntax for capturing all traffic except your SSH session to the IDP Series device:

    [root@localhost ~]# tcpdump -s 0 -I eth2 -w eth2-all-but-ssh.pcap not tcp port 22

    If you later decide you want to extract only HTTP traffic from the “all-but” pcap, you can use the following syntax to filter the previously collected file:

    [root@localhost ~]# tcpdump -r eth2-all-but-ssh.pcap -w http.pcap tcp port 80

    To view captured traffic, you can use tcpdump data display options or use a packet viewer, such as Wireshark.

    Published: 2011-02-08