tcpdump question

Posted on 2004-09-05
Last Modified: 2012-08-14
What are the TCPDUMP switches I should be using to monitor traffic effectively (both for security and network analysis)
I've been using  windump -s 1531 so far? Any recommendations?
Question by:dissolved
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Expert Comment

ID: 11984535
What is your goal for the analysis?  Are you analyzing an entire network, a collection of computers on a network, or just a single host?  Have you considered using Ethereal for a more graphical viewing of the packets?

Expert Comment

ID: 11984592
new one on me, I do all my network analysis via packet capture; ethereal is a good answer as suggested by catdaddy007 above.  Now, I'm stumped, as I've never heard of TCPDUMP or WINDUMP.......


Author Comment

ID: 11984698
Analyzing an entire network.  I need to be able to view race output. Ethereal is nice, but I need to view output from a ids box.. Unfortunately, it is not as nice as ethereals layout. unless someone here knows of a way to output it in Ethereal readable format
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 11984704
I meant raw* output. Not "race" output. Sorry, late night.

Expert Comment

ID: 11984793
So you have a host on a network that is collecting traffic via TCP/Windump (probably outputting to plain text file) and you want to "import" that data to an IDS box in order to determine if there have been any intrusions and probably to just look at the traffic.

Honestly, your windump -s 1531 is probably pretty good if all you want is 100% of packet data in raw format.  You will probably want to put a -n in there so that it doesnt do hostname lookups.

If you are getting too much traffic through this host and windump cant keep up (as evidenced by dropped packets by the kernel) then use the -w option and specify a filename to dump the raw data to.  Like so:

windump -w output.out

You'll find that you cant read that format with a normal text editor.  What you have to do is run windump again to process the output file into a readable format.  Like so:

windump -n -r output.out >c:\human_readable_format.txt

What the -w does is tell windump not format the captured data in readable format on the fly; merely dump it to a text file.  Then you have to do the formating manually once your capture is complete.  You could probably script all this and rotate your captured files if you like, but that is beyond the scope of this question.  

Another thing:  are your switches setup to mirror all traffic to the port that your collection box is on?  Otherwise, you'll only get traffic that has a source or destination address of your collection box.  Or are hubs used throughout the network?

Expert Comment

ID: 11984806
Also windump switches are pretty much the same as tcpdump switches, with the obvious exception of interface names (eth1 vs. \device\npf_blah_blah_blah).  So a google search on tcpdump switches would prove fruitful.

Author Comment

ID: 11984864
Yea, this is actually a home lab so no port spanning. Just an IDS on a hub.

I usually only use the -w option when I want to import the output into ethereal. Works great.

PS: Isnt there a way to show the hex of the packet to ? Like at the bottom payne of the ethereal program?

Accepted Solution

Catdaddy007 earned 500 total points
ID: 11984936
True... The -w is the real "raw" output of the capture.  Once you have that info, you can import into all kinds of stuff.  The -x switch will show the hex values of the packet.  Like so:

windump -x -n -s 1531

If the IDS is the macine that is doing the "captures" shouldnt the IDS software do the packet capture for you, rather than relying on you to first capture in windump and then import into IDS?

Author Comment

ID: 11984942
you da man

Expert Comment

ID: 11986142

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Citrix App 7 70
Network latency question 9 81
Software that displays graphical all files on your pc, including drive on network. 4 60
external website is 16 36
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question