There are lots of tools out there available to capture network packets from your interface. The interface could be wireless or wired. Today I will show you the usage of one such tool called Tcpdump.
Get into any linux machine and have a look at the the online help of tcpdump 🙂 i.e,
man tcpdump or you could also look at the official webpage http://www.tcpdump.org/tcpdump_man.html .
I have been using wireshark or tshark a lot than tcpdump. But faced one issue during my work,where I had to learn and use tcpdump. After using it I found it is much more simpler than tshark/wireshark 🙂 but not yet sophisticated as wireshark. :). Its a tradeoff you see 😛
About the tool.
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.
1) If get the packet captures from the interface eth0 and write to the file test.out . Note that this will capture all the tcp packets since there is no filter applied to it.
sudo tcpdump -i eth0 -w test.out
2) If you need filter to be applied so that you can get some specific packets like ftp or ssh,then you can use the below command.
sudo tcpdump port ssh or ftp -i eth0 -w test.out
3)You can use the -s option to make sure that the packet is not truncated . This is helpful when you are using the output file of tcpdump in wireshark.
sudo tcpdump -i eth0 -w test.out -s 65535
4)If you want to read from the file that has the raw packet capture, you can use the below command
sudo tcpdump -i eth0 -r test.out
5)To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip&0xf)<>2)) != 0)'