Skip to main content

Capture packets using tcpdump

Description

This article describes how to log packets using tcpdump.

Installing tcpdump

Before starting, you need to install required packages. Tcpdump and Libpcap. These packages can be found attached to the article.

To install, you need to upload the packages to your WCCLite /tmp/ directory. You can achieve this by using scp or any other software that has scp compatibility, for example: WinSCP, PSCP, FileZilla.

We are going to upload using scp.

  1. Navigate to the directory where libpcap is.
  2. Open the command terminal in that directory.
  3. Execute command: scp libpcap_1.7.4-1_ar71xx.ipk root@192.168.1.1:/tmp/
  4. It will ask you for the password. Enter the default wcclite password - wcclite.

image-1627892977493.png

  1. Navigate to the directory where tcpdump is.
  2. Open the command terminal in that directory.
  3. Execute command: scp tcpdump_4.9.2-1_ar71xx.ipk root@192.168.1.1:/tmp/
  4. It will ask you for the password. Enter the default wcclite password - wcclite.

image-1627893107060.png

After uploading the packages, you need to install them.

  1. Connect to the WCCLite using an ssh client. We recommend using putty
  2. Execute command: opkg install /tmp/libpcap_1.7.4-1_ar71xx.ipk to install libpcap
  3. If successful you will get this message.

image-1627890317789.png

Now to install tcpdump:

  1. Execute: opkg install /tmp/tcpdump_4.9.2-1_ar71xx.ipk to install tcpdump.
  2. If successful you will get this message.

image-1627890567145.png

To check if everything installed correctly, execute this command: tcpdump --v

image-1627654474783.png

Now Tcpdump has been successfully installed.

Running tcpdump

To run tcpdump you need to give it specific options. You can find all of them in the manual. Here are some of the more frequent ones:

Switch Syntax Description
-i any tcpdump -i any Capture from all interfaces
-i eth0 tcpdump -i eth0 Capture from specific interface
-D tcpdump -D Show available interfaces
-w tcpdump -i eth0 -w capture.pcap Save capture to file (.pcap for reading it with Wireshark or other packet analysis tools)
-c  tcpdump -i eth0 -c 100 Capture first 100 packets and exit
-n tcpdump -n -i eth0 Do not resolve host names
port tcpdump -i eth0 port 2404 Capture traffic from a defined port only
host tcpdump host 192.168.1.100 Capture packets from specific host

After you write your specific command you execute it via the console. 

Here is shown tcpdump -i wwan0 -n. This command shows all traffic that goes through the gsm interface.

image-1627889271177.png

Examples

Command Description
tcpdump -i eth0 -n port 2404 -c 1000 -s0 -w /var/log/2404.dmp Capture packets that are on port 2404 that go through eth0 interface.Exit after  first 1000 and save them to /var/log/2404.dmp file
tcpdump -i wwan0 -w /tmp/capture-%H.pcap -G 3600 -C 10000

Capture packets that go through gsm interface and write a new file to /tmp/capture-<count>.pcap file every 3600 seconds.
tcpdump -i any -n port 2404 -w /tmp/capture-%H.pcap -G 3600 Capture packets that are on port 2404 that go through all interfaces and save a new file to /tmp/capture-<count>.pcap every 3600 seconds.


Downloading packet files

If you save your tcpdump files, you need to download them from the WCCLite. This can be achieved by using scp or any software that has scp compatibility, for example: WinSCP, PSCP, FileZilla.

We are going to use scp to download the file.

  1. Open the command terminal on your computer.
  2. Execute command with the location of your packet dump file and directory where to save it. scp root@192.168.1.1:/<dump directory>/<dump name>   <directory where to save it>
  3. It will ask for the WCCLite password. Enter the default password - wcclite.
  4. If successful the file will appear in the determined location.

Example of the command.

image-1627903702658.png

Files

  1. PuTTy ssh software Download
  2. WinSCP software Download
  3. TCPDump manual 
  4. Libpcap Download
  5. Tcpdump Download