Mask's web site
| | FreeBSD | Linux | 回憶 | 社團經歷
   
FreeBSD > Tcpdump  

Tcpdump is a powerful tool to collect packet on a network. It's built in FreeBSD 3.2-RELEASE, maybe non before, you must check yourself.

Tcpshow is a tool to help you show the packet information. It's not built in operation system, at least FreeBSD 3.2-RELEASE not, you must install yourself. You can download the package from here.

  1. # cd /usr/src/sys/i386/conf/
  2. Don't comment this line in your kernel.
  3. # config xxx(xxx is the name of your kernel)
  4. # cd /usr/src/sys/compile/xxx/
  5. # make depend all install
  6. Now tcpdump is enabled, you can capture packets now.
  7. Install tcpshow to decode tcpdump file, you can download the tcpshow package from here.
  8. # pkg_add -v tcpshow-1.74.tgz
  9. Now decoder is done.

Example

A

  1. # tcpdump -i ed0 -w test
    Listen on interface ed0 and redirect output to file named test.
  2. # tcpshow < test | more
    Decode file test.

B

  1. # tcpdump -i ed0 -w test 'dst port 23'
    Only listen destination port 23 on interface ed0 and redirect output to file named test.
  2. # tcpshow -minHdrDecode < test | more
    Decode file test and minimal display.

C

  1. # tcpdump -i ed0 -w test 'dst port 23' and 'ether src 0:aa:bb:cc:dd:ee'
    Only listen ethernet source address 00:aa:bb:cc:dd:ee and destination port 23 on interface ed0 and redirect output to file named test.
  2. # tcpshow -minHdrDecode -noHostNames < test | more
    Decode file test, minimal display and use ip address instead of host name.

D

  1. # tcpdump -i ed0 -w test 'dst port 23' or 'dst port 110' and 'ether src 0:aa:bb:cc:dd:ee'
    Only listen ethernet source address 00:aa:bb:cc:dd:ee and destination port 23 or 110 on interface ed0 and redirect output to file named test.
  2. # tcpshow -minHdrDecode -noHostNames < test | more
    Decode file test, minimal display and use ip address instead of host name.

E

  1. # tcpdump -i ed0 -w test 'dst port 23' or 'dst port 110' and 'ether src 0:aa:bb:cc:dd:ee' and 'less 60'
    Only listen ethernet source address 00:aa:bb:cc:dd:ee, destination port 23 or 110 and packet length less than 60 on interface ed0 and redirect output to file named test.
  2. # tcpshow -minHdrDecode -noHostNames < test | more
    Decode file test, minimal display and use ip address instead of host name.

F

  1. # tcpdump -i ed0 -w test 'dst port 23' or 'dst port 110' and 'src host 192.168.0.1' &
    Only listen source ip 192.168.0.1 and destination port 23 or 110 on interface ed0 and redirect output to file named test in the background.
  2. # tcpshow -minHdrDecode -noHostNames < test | more
    Decode file test, minimal display and use ip address instead of host name.

 

  
 

CopyRight © by Mask.
All rights reserved.