TCP dump is used to create DUMPs of network traffic. This information can then be used to troubleshoot a range of problems you may be having, eg, application issues, networking issues etc.
\\
__**Note**__: If you write the output of a tcp dump to a file, you can then import this file into wire shark to interpret this better (make life easier)
\\
\\
== Common Examples ==
In the following example
\\
> Replace **//x.x.x.x//** with the IP of the machine you are running the dump from. This IP depends on the interface (public/private)
> Replace **//y.y.y.y//** with the source IP. Example, server you are connecting FROM
tcpdump -nn -tttt -i eth0 "dst port 3306" and "dst host x.x.x.x" and "src host y.y.y.y"
\\
\\
Description: Clean - NO time stamps and NO packet output
# time tcpdump -t -nn -i eth0 port 443
IP x.x.x.190.26753 > x.x.x.129.443: Flags [S], seq 90450879, win 29200, options [mss 1380,sackOK,TS val 176708915 ecr 0,nop,wscale 7], length 0
IP x.x.x.x.443 > x.x.x.190.26753: Flags [S.], seq 1451406549, ack 90450880, win 28960, options [mss 1460,sackOK,TS val 180471895 ecr 176708915,nop,wscale 7], length 0
IP x.x.x190.26753 > x.x.x.129.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 176708934 ecr 180471895], length 0
IP x.x.x.190.26753 > x.x.x.129.443: Flags [P.], seq 1:518, ack 1, win 229, options [nop,nop,TS val 176708934 ecr 180471895], length 517
\\
\\
Description: Capture packets and it has time stamps
# time tcpdump -nn -i eth0 dst port 443 -A
x:x.x:29.334109 IP x.x.x.129.50684 > x.x.x.11.443: Flags [.], ack 305494749, win 772, options [nop,nop,TS val 180530251 ecr 1978706385], length 0
E..4..@.@..o....R^......<.JW.5z............
..Ku...
\\
\\
== Verbose ==
Non verbose
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 82.94.168.11.443 > 195.154.211.129.50684: Flags [P.], seq 305495973:305496007, ack 1020938839, win 19, options [nop,nop,TS val 1978798886 ecr 180890262], length 34
IP 195.154.211.129.50684 > 82.94.168.11.443: Flags [.], ack 34, win 772, options [nop,nop,TS val 180900262 ecr 1978798886], length 0
-vvv
IP (tos 0x0, ttl 54, id 18426, offset 0, flags [DF], proto TCP (6), length 86)
82.94.168.11.443 > 195.154.211.129.50684: Flags [P.], cksum 0x6b90 (correct), seq 305495973:305496007, ack 1020938839, win 19, options [nop,nop,TS val 1978798886 ecr 180890262], length 34
IP (tos 0x0, ttl 64, id 56819, offset 0, flags [DF], proto TCP (6), length 52)
195.154.211.129.50684 > 82.94.168.11.443: Flags [.], cksum 0x91ac (incorrect -> 0x1bc7), seq 1, ack 34, win 772, options [nop,nop,TS val 180900262 ecr 1978798886], length 0
\\
\\
^ Flag ^ Description ^
| -A | Print each packet (minus its link level header) in ASCII. Handy for capturing web pages |
| -n | Don't convert host addresses to names. This can be used to avoid DNS lookups. |
| -nn | Don't convert protocol and port numbers etc. to names either. |
| -w | Write the raw packets to file rather than parsing and printing them out |
| -i | Interface |
| src | Only capture information from a source (eg, src host x.x.x.x )|
| dst | Only capture traffic to destination address (a server could have multiple IPs, so you can specify) |
| -t | NO time stamp - might be easier to read |
| -vvv| Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex as well. |