# Capture packets using tcpdump ### Description This article describes how to log packets using tcpdump. ### Installing tcpdump Before starting, you need to install required packages. **Tcpdump** and **Libpcap**. These packages can be found attached to the article. To install, you need to upload the packages to your **WCCLite** /tmp/ directory. You can achieve this by using **scp** or any other software that has scp compatibility, for example: WinSCP, PSCP, FileZilla. We are going to upload using **scp.** 1. Navigate to the directory where **libpcap** is. 2. Open the command terminal in that directory. 3. Execute command: *scp libpcap\_1.7.4-1\_ar71xx.ipk root@192.168.1.1:/tmp/* 4. It will ask you for the password. Enter the default wcclite password - *wcclite*. [![image-1627892977493.png](https://wiki.elseta.com/uploads/images/gallery/2021-08/scaled-1680-/image-1627892977493.png)](https://wiki.elseta.com/uploads/images/gallery/2021-08/image-1627892977493.png) 1. Navigate to the directory where **tcpdump** is. 2. Open the command terminal in that directory. 3. Execute command: *scp tcpdump\_4.9.2-1\_ar71xx.ipk root@192.168.1.1:/tmp/* 4. It will ask you for the password. Enter the default wcclite password - *wcclite*. [![image-1627893107060.png](https://wiki.elseta.com/uploads/images/gallery/2021-08/scaled-1680-/image-1627893107060.png)](https://wiki.elseta.com/uploads/images/gallery/2021-08/image-1627893107060.png) After uploading the packages, you need to install them. 1. Connect to the **WCCLite** using an ssh client. We recommend using [*putty*](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) 2. Execute command: *opkg install /tmp/libpcap\_1.7.4-1\_ar71xx.ipk* to install **libpcap** 3. If successful you will get this message. [![image-1627890317789.png](https://wiki.elseta.com/uploads/images/gallery/2021-08/scaled-1680-/image-1627890317789.png)](https://wiki.elseta.com/uploads/images/gallery/2021-08/image-1627890317789.png) Now to install **tcpdump**: 1. Execute: *opkg install /tmp/tcpdump\_4.9.2-1\_ar71xx.ipk* to install **tcpdump.** 2. If successful you will get this message. [![image-1627890567145.png](https://wiki.elseta.com/uploads/images/gallery/2021-08/scaled-1680-/image-1627890567145.png)](https://wiki.elseta.com/uploads/images/gallery/2021-08/image-1627890567145.png) To check if everything installed correctly, execute this command: *tcpdump --v* [![image-1627654474783.png](https://wiki.elseta.com/uploads/images/gallery/2021-07/scaled-1680-/image-1627654474783.png)](https://wiki.elseta.com/uploads/images/gallery/2021-07/image-1627654474783.png) Now **Tcpdump** has been successfully installed. ### Running tcpdump To run **tcpdump** you need to give it specific options. You can find all of them in the [manual](https://www.tcpdump.org/manpages/tcpdump.1.html). Here are some of the more frequent ones:

Switch	Syntax	Description
-i any	tcpdump -i any	Capture from all interfaces
-i eth0	tcpdump -i eth0	Capture from specific interface
-D	tcpdump -D	Show available interfaces
-w	tcpdump -i eth0 -w capture.pcap	Save capture to file (.pcap for reading it with Wireshark or other packet analysis tools)
-c	tcpdump -i eth0 -c 100	Capture first 100 packets and exit
-n	tcpdump -n -i eth0	Do not resolve host names
port	tcpdump -i eth0 port 2404	Capture traffic from a defined port only
host	tcpdump host 192.168.1.100	Capture packets from specific host

After you write your specific command you execute it via the console. Here is shown ***tcpdump -i wwan0 -n.*** This command shows all traffic that goes through the gsm interface. [![image-1627889271177.png](https://wiki.elseta.com/uploads/images/gallery/2021-08/scaled-1680-/image-1627889271177.png)](https://wiki.elseta.com/uploads/images/gallery/2021-08/image-1627889271177.png) #### Examples

Command	Description
tcpdump -i eth0 -n port 2404 -c 1000 -s0 -w /var/log/2404.dmp	Capture packets that are on port 2404 that go through eth0 interface.Exit after first 1000 and save them to /var/log/2404.dmp file
tcpdump -i wwan0 -w /tmp/capture-%H.pcap -G 3600 -C 10000	Capture packets that go through gsm interface and write a new file to /tmp/capture-<count>.pcap file every 3600 seconds.
tcpdump -i any -n port 2404 -w /tmp/capture-%H.pcap -G 3600	Capture packets that are on port 2404 that go through all interfaces and save a new file to /tmp/capture-<count>.pcap every 3600 seconds.

### Downloading packet files If you save your **tcpdump** files, you need to download them from the **WCCLite.** This can be achieved by using **scp** or any software that has scp compatibility, for example: WinSCP, PSCP, FileZilla. We are going to use **scp** to download the file. 1. Open the command terminal on your computer. 2. Execute command with the location of your *packet dump* file and directory where to save it. *scp root@192.168.1.1:/<dump directory>/<dump name> <directory where to save it>* 3. It will ask for the **WCCLite** password. Enter the default password - *wcclite*. 4. If successful the file will appear in the determined location. Example of the command. [![image-1627903702658.png](https://wiki.elseta.com/uploads/images/gallery/2021-08/scaled-1680-/image-1627903702658.png)](https://wiki.elseta.com/uploads/images/gallery/2021-08/image-1627903702658.png "Example of the command") ### Files 1. PuTTy ssh software [Download](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) 2. WinSCP software [Download](https://winscp.net/eng/index.php) 3. TCPDump [manual](https://www.tcpdump.org/manpages/tcpdump.1.html) 4. Libpcap [Download](https://wiki.elseta.com/attachments/7) 5. Tcpdump [Download](https://wiki.elseta.com/attachments/8)