INTEGU uses cookies to personalize your experience and provide traceability for affiliate links. By using the website, you agree to these terms and conditions. To learn more see the privacy policy page.
How-to: View TcpDump data in Wireshark
Menu
Introduction
The objective of this guide is to inform the reader on how to view data collected with “tcpdump”-command (CLI-interface) in a Wireshark GUI-interface.
This is an extremely useful utility for getting the overview of the traffic on a node which does not have a GUI which support Wireshark.
Prerequisite: Linux environment
1. Collect data
# tcpdump -i <interface_name> -w <file_name>.pcap
tcpdump -i ens192 -w file_name.pcap
- tcpdump is a command for monitoring IP traffic from and to the node.
- -i <interface_name> is an optional argument, which allows you to specific which “interface”, hence -i, to monitor. To find the name of the desired interface you can use “ip addr”. “e.g. ens192″‘
- -w <file_name>.pcap is the “write”, hence -w, for the tcpdump command. If this argument is not provided, it will show the output of the command in the terminal. The file will be written to in the location of the file_name.pcap.
When the tcpdump have been collecting its data for an appropriate amount of time it can be stopped by CTRL+C.
2. Send the data to a node with GUI and Wireshark
# scp <file_name>.pcap <user>@<ip_of_node_with_wireshark>:<path_to_new_location>
scp file_name.pcap root@127.0.0.1:/tmp
- scp is a command for transferring file between nodes within a shell instance.
- <file_name>.pcap is the path and name of the file to be transferred.
- <user> is the user to use for the shell instance. e.g root.
- <ip_of_node_with_wireshark> is the IP address of the node with Wireshark.
- <path_to_new_location> the path and optionally the file name on the new node.
3. Open Wireshark and open PCAP-file
Navigate to the node with Wireshark installed and open the application.
Within Wireshark, click the “open file” option and point to the transferred PCAP-file.
You can now use all the Wireshark function on the data collected with the TcpDump command from a remote node.
Good job!
Recommended Reading
No references for this article…
About
Hi, I'm the Author
My name is Daniel H. Jacobsen and I’m a dedicated and highly motivated software developer with a masters engineering degree within the field of ICT.
I have through many years of constantly learning and adapting to new challenges, gained a well-rounded understanding of what it takes to stay up to date with new technologies, tools and utilities.
The purpose of this blog is to share both my learnings and knowledge with other likeminded developers as well as illustrating how these topics can be taught in a different and alternative manner.
If you like the idea of that, I would encourage you to sign up for the newsletter.
Cheers! 🍺
