The Serpent

// Cursing the Internet since 1998

Capturing Packets on the CLI

Posted Jan 25, 2021 Cheatsheet

There’s an old saying amongst Network Engineers; Packets Don’t Like.

Obtaining a packet capture when troubleshooting a problem will not only help keep your sanity in check but may also help determine the source of a problem, or at least where to look next.

Many of us rely on Wireshark to perform these tasks, but there’s a whole range of libraries and CLI tools available to help troubleshoot when all you have is CLI access.

Packet Capture Libraries

First let’s look at the libraries that allow for packet captures across various platforms…

Library Developer Notes
libpcap TCPdump Team The de facto packet capture API used on almost all operating systems except Windows. Ships with Wireshark for Linux\Mac installations
winPCAP Riverbed Original port of libpcap onto Windows, no longer supported.
npcap Nmap Team Modern implementation of Windows libpcap port, ships with Wireshark for Windows installations

Today, you’re either using npcap for Windows, or libpcap for anything else. Now that you can capture packets, you’ll need something to display them with. The following CLI tools exist to capture and display packets, as well as some common example arguments:

tcpdump

tcpdump was one of the first CLI based packet capture tools. When ran without any arguments, it starts capturing packets on the first available interface and outputs the headers to the console.

tcpdump -i eth0 host 192.168.1.1
Capture all packets on interface eth0 that match the host 192.168.1.1.

tcpdump -i eth0 -w /tmp/capture.pcap
Capture all packets on interface eth0 and write the contents to a capture file.

tshark

Created by Wireshark, it basically works the same way as tcpdump but has better filtering support, and therefore ideal for analysing large capture files.

tshark -i eth0 host 192.168.1.1
Perform a capture on eth0 while filtering for traffic to host 192.168.1.1 only.

dumpcap

Another tool created by Wireshark, it captures packets and writes them to a file (this can be achieved with both tools above, but dumpcap saves you a few CLI arguments).

dumpcap -i eth0
Writes the packet capture to the /tmp directory.

Summary

All three programs effectively do the same thing, so it’s more of a matter of taste as to which one you use. You’ll likely encounter tcpdump installed on more systems than tshark or dumpcap.

Capturing Packets on the CLI
Posted January 25, 2021
Written by John Payne