Example 2-11. Verbose output for tcpdump
11:39:09.703339 STP 802.1d, Config, Flags
[
none
]
, bridge-id
7b00.18:d6:c7:7d:f4:8a.8004, length
35
message-age 0.75s, max-age 20.00s,
hello-time 1.00s, forwarding-delay 4.00s root-id 7000.2c:08:8c:1c:3b:db,
root-pathcost 4
11:39:09.710628 IP
(
tos 0x0, ttl 233, id 12527, offset 0, flags
[
DF
]
, proto TCP
(
6
)
,
length 553
)
54.231.176.224.443 > 192.168.86.223.62547: Flags
[
P.
]
,
cksum 0x6518
(
correct
)
, seq 3199:3712, ack 1164, win 68, length 513
11:39:09.710637 IP
(
tos 0x0, ttl 233, id 12528, offset 0, flags
[
DF
]
, proto TCP
(
6
)
,
length 323
)
54.231.176.224.443 > 192.168.86.223.62547: Flags
[
P.
]
,
cksum 0x7f26
(
correct
)
, seq 3712:3995, ack 1164, win 68, length 283
11:39:09.710682 IP
(
tos 0x0, ttl 64, id 0, offset 0, flags
[
DF
]
, proto TCP
(
6
)
,
length 40
)
192.168.86.223.62547 > 54.231.176.224.443: Flags
[
.
]
,
cksum 0x75f2
(
correct
)
, ack 3712, win 8175, length 0
11:39:09.710703 IP
(
tos 0x0, ttl 64, id 0, offset 0, flags
[
DF
]
, proto TCP
(
6
)
,
length 40
)
The output looks largely the same except that this is all numbers with no hostnames
or port names. This is a result of using the
-n
flag when running
tcpdump
. You will
still see the two endpoints of each conversation identified by IP address and port
number. What you get with
-v
is more details from the headers. You will see that
checksums are verified as correct (or incorrect). You will also see other fields includ‐
ing the time-to-live value and the IP identification value.
Even if we switch to
-vvv
for the most verbosity, you aren’t going to get a complete
packet decode for analysis. We can, though, use
tcpdump
to capture packets and write
them out to a file. What we need to talk about is the
snap length
. This is the snapshot
length, or the amount of each packet that is captured in bytes. By default, tcpdump
grabs 262144 bytes. You may be able to set that value lower. Setting the value to 0 says
that
tcpdump
should grab the maximum size. In effect, this tells
tcpdump
to set the
snap length to the default value of 262144. To write the packet capture out, we need to
use the
-w
flag and specify a file. Once we’ve done that, we have a packet capture
(pcap) file that we can import into any tool that will read these files. We’ll take a look
at one of those tools a little later.
