Tcpdump Light-weight Alternative to Wireshark

· 17 January 2012 ·

   2 min read


This is a lost post from my early blogs around 2012, rediscovered and posted here in mid-2020

I went to install Wireshark this morning and realised why I hadn’t bothered before. The source code is 20MB [^footnote]. God knows how long that will take to compile, especially since it seems to use autoconf and generates complex, multi-nested Makefiles many levels deep.

I already had tcpdump installed, so I used that instead. It provided what I wanted quite quickly after a bit of googling to find out the suitable parameters to start it up.

  • tcpdump -Xss 'port 80' > dump
    • -X prints the packet data (in hex and ascii) as well as the packet header
    • -S uses absolute packet numbers instead of relative ones
    • -s 0 captures the full packet (assuming 65535)
    • 'port 80' only capture packets using outgoing port 80 (HTTP)

(This post is as much for my benefit as any one else’s, as I always forget which parameters to use.)

Addendum The reason for this is that I wanted to check if the Ghostery plugin for Google-chrome acts early enough to prevent a network connection to the blocked site, or whether it just prevents any display of the output from that site.

The point being that I block Facebook.net and I don’t just want to not see Like buttons, I want to prevent the browser from communicating with facebook.net in the first place.

I’m pleased to advise that Ghostery works the same as in Firefox and prevents any connection in the first place, so that Facebook, Twitter, and all the other privacy annoyances never find out that I have visited a web site.

[^footnote] [Ed: 2020, ha ha. How quickly things change.]