provocativo_
back to the arsenal
// arsenal·Network AnalysisIntermediateFOSS

tcpdump

The command-line packet sniffer that every Unix-like ships with.

Network Analysis

$ tcpdump --help

tcpdump

// what it is

Description

Built on libpcap — every other capture tool wraps the same library. Tiny BPF syntax, rock-solid for headless captures, and writes pcap that Wireshark can open later.

// use cases

What people use it for

  • Headless packet capture on production boxes
  • Quick on-the-wire debugging
  • Forensic capture for later Wireshark dissection

// commands

The commands you'll type

Capture all TLS to file

$ tcpdump -i eth0 -nn -s 0 -w out.pcap 'tcp port 443'

Live HTTP host filter

$ tcpdump -i any -A 'tcp port 80 and host target.tld'

// facts

category
Network Analysis
platforms
LIN · MAC
license
FOSS
difficulty
Intermediate

// links

// related in Network Analysis

Network AnalysisBeginner

Wireshark

The reference open-source network protocol analyzer.

FOSS
LIN·WIN·MAC
open entry →
Network AnalysisIntermediate

Ettercap

Classic LAN man-in-the-middle framework — ARP poisoning, DNS spoofing, filters.

FOSS
LIN·MAC
open entry →
Network AnalysisIntermediate

Bettercap

Modern reincarnation of Ettercap — Go-based, scriptable, Wi-Fi-aware.

FOSS
LIN·MAC
open entry →