tcpdump -tnn -c 2000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 10 '

tcpdump top 10 talkers

capture 2000 packets and print the top 10 talkers

These Might Interest You

  • The tcpdump arguments are just an example.


    0
    tcpdump -w "$(sed 's/-//gi; s/ /_/gi'<<<"-vvv -s0 -ieth1 -c10 icmp").pcap"
    brejktru · 2011-05-03 20:44:01 0
  • Sometimes the question comes up: How to get unbuffered tcpdump output into the next program in the pipe? i.e. if your OS forces you to wait for the buffer to fill before the next program sees any of the output If you use -Uw- then you can't use -A (or -X or -XX) at the same time. When the question comes up, I've never seen anyone suggest this simple solution: chaining 2 tcpdump instances.


    1
    tcp(){ tcpdump -nUs0 -w- -iinterface $1|tcpdump -n${2-A}r- ;} usage: tcp '[primitives]' [X|XX]
    argv · 2011-03-07 03:40:11 0
  • At some point you want to know what packets are flowing on your network. Use tcpdump for this. The man page is obtuse, to say the least, so here are some simple commands to get you started. -n means show IP numbers and don't try to translate them to names. -l means write a line as soon as it is ready. -i eth0 means trace the packets flowing through the first ethernet interface. src or dst w.x.y.z traces only packets going to or from IP address w.x.y.z. port 80 traces only packets for HTTP. proto udp traces only packets for UDP protocol. Once you are happy with each option combine them with 'and' 'or' 'not' to get the effects you want.


    2
    tcpdump -nli eth0; tcpdump -nli eth0 src or dst w.x.y.z; tcpdump -nli eth0 port 80; tcpdump -nli eth0 proto udp
    jonty · 2009-02-05 17:41:55 0
  • We can get useful statistics from tcpdump with this simple command. Thanks "Babak Farrokhi" to teaching me this ;)


    1
    tcpdump -nr capture.file | awk '{print }' | grep -oE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}' | sort | uniq -c | sort -n
    shahabv · 2011-06-16 19:27:11 0
  • This is useful when the local machine where you need to do the packet capture with tcpdump doesn?t have enough room to save the file, where as your remote host does tcpdump -i eth0 -w - | ssh savelocation.com -c arcfour,blowfish-cbc -C -p 50005 "cat - > /tmp/eth0.pcap" Your @ PC1 doing a tcpdump of PC1s eth0 interface and its going to save the output @ PC2 who is called save.location.com to a file /tmp/ppp1-to-me.pcap.gz again on PC2 More info @: http://www.kossboss.com/linuxtcpdump1 Show Sample Output


    0
    tcpdump -i eth0 -w - | ssh savelocation.com -c arcfour,blowfish-cbc -C -p 50005 "cat - > /tmp/eth0.pcap"
    bhbmaster · 2013-05-30 07:33:48 0
  • then open with wireshark


    1
    tcpdump src <srcIP> and dst <dstIP> -w file.pcap
    huazhihao · 2012-12-27 07:15:39 0

What Others Think

Hmm... That's not the *top ten* talkers. To do that, replace awk with: ... | head Your command lists all the connections that transfer more than 10 packets in the time frame.
flatcap · 190 weeks and 6 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands



Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: