How to use TCPDump to capture a specific port's data

Non-Datatex Product Support.
General support issues on PCs and Servers that is related to Datatex products.

Moderators: Leon van Heerden, Luanda_Junzi

How to use TCPDump to capture a specific port's data

Postby Leon van Heerden » Mon Feb 13, 2012 12:03 pm

TCPDump allows you to capture the network packets on a network card and display the info related to the packets on the screen or write it to a file.

The standard usage just dumps the source and destination address and ports.
This will dump all the packet info for all the packets on interface eth0 and not do any DNS lookups for the IPs.

Code: Select all
tcpdump -n -i eth0


If you are connected to this ethernet card, you should exclude your traffic using a rule like this:
Code: Select all
tcpdump -n -i eth0 not host 192.168.0.10 and not port 22

or you can explicitly state the port that you want to capture information for:
Code: Select all
tcpdump -n -i eth0 port 25


To capture the enitre packet and it's content, you need to add the following to the command line:
Code: Select all
-s0 -w testfile.pcap


So it should look like this:
Code: Select all
tcpdump -n -i eth0 -s 0 -w testfile.pcap port 25


The resulting file can be viewed with Wireshark.
----
Leon van Heerden
http://www.datatex.co.za
Leon van Heerden
 
Posts: 332
Joined: Fri Oct 29, 2010 11:21 am
Location: Cape Town

Re: How to use TCPDump to capture a specific port's data

Postby Belinda Frick » Mon Jul 30, 2018 5:07 pm

WINDOWS Capture:

  1. Open command prompt on Windows recorder.

  2. Navigate to folder in cmd:
    Code: Select all
    C:\WiresharkPortable\App\Wireshark>

  3. Command to get network devices:
    Code: Select all
    tshark.exe -D


    Result:
    Code: Select all
    1. \Device\NPF_{245CF9F1-5E53-40EF-B8E7-C1D2F00EF1AB} (VOICE)
    2. \Device\NPF_{EA122839-C12C-4613-909F-B646516EE38A} (DATA)
    3. ciscodump (Cisco remote capture)
    4. randpkt (Random packet generator)
    5. sshdump (SSH remote capture)
    6. udpdump (UDP Listener remote capture)

  4. Capture command (will stop after 24 hours):
    Code: Select all
    C:\WiresharkPortable\App\Wireshark>tshark.exe -i \Device\NPF_{245CF9F1-5E53-40EF-B8E7-C1D2F00EF1AB} -s 0 -b duration:3600 -b files:24 -w indew-pew.pcap

    Result:
    Code: Select all
    Capturing on 'VOICE'
    2249502
Belinda Frick
 
Posts: 3808
Joined: Fri Nov 12, 2010 4:25 pm


Return to General Support

Who is online

Users browsing this forum: No registered users and 0 guests

cron