1

Using tcpdump with port ranges and file count/size

sudo /usr/sbin/tcpdump -i any -s 0 -n -Z someuser -C 500 -W 100 -w /home/someuser/$(hostname).pcap -f '(port (80 or 8080) or portrange 21-22)' &>/dev/null

March 15, 2019peek2much3

Explanation

Flags used here:

  • -i interface: use the interface network interface.
  • -s snaplen: read snaplen bytes of data from each packet rather than the default 262144.
  • -n: don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
  • -Z user: run as user instead of root.
  • -C file_size: write maximum file_size bytes to a single file.
  • -W filecount: limit the number of files created to filecount.
  • -w file: write output to file.
  • -f: print IPv4 addresses numerically rather than symbolically.

With &>/dev/null we redirect both the standard output and the standard error to /dev/null.

Limitations

Requires tcpdump.