tcpdump is one of the most powerful command-line packet analyzer tools for all IT Professionals. In this tutorial, we share some practical examples of tcpdump tool which should be known by every IT Professional.
A well-known network sniffer tool for network monitoring which provides plenty of options. From analyzing live network traffic to capture specific traffic in a file, you can do all with tcpdump. Easy availability for all the operating systems, makes it more popular.
There are many other tutorials available for tcpdump on the internet but the proper explanation of commands and examples are not available. So, here we decide to document some well-explained examples of tcpdump in simple and understandable language.
Above all, let’s have a look at the history of the tcpdump tool. tcpdump was written at Lawrence Berkeley Laboratory in 1988. Official website www.tcpdump.org created in 1999.
Table of Contents
Install tcpdump
Let’s start by installing tcpdump in different operating systems. use the below commands to install it.
######### For CentOS/Fedora #############
sudo yum install tcpdump
######## For Ubuntu/Debian ##############
sudo apt-get install tcpdump
######## For Arch Linux ################
sudo pacman -S tcpdump
If you have a different OS, you can download it from its Official Website.
Practical tcpdump examples
Example 1: List all available interfaces
With option -D, we can print the list of available network interfaces on which tcpdump can capture traffic. Network interfaces with there name and a number are printed by this option. See the below command and its example output.
tcpdump -D
Output: 1.enp0s3 [Up, Running] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback] 4.nflog (Linux netfilter log (NFLOG) interface) 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) 6.usbmon1 (USB bus number 1) 7.usbmon2 (USB bus number 2)
Example 2: Capture traffic from a specific interface
With the use of option -i, we can capture network packets on a specific network interface. By default tcpdump searches for the lowered number interface in the system interface list.
You can provide the interface name or interface number which we get in the previous command output.
sudo tcpdump -i enp0s3
####### OR ###########
sudo tcpdump -i 1
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
Example 3: Limit number of packets capture
With the use of command option -c, we can specify the number of packets we want to capture with tcpdump.
sudo tcpdump -c 10
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes 16:17:01.745113 IP 172.17.11.240.ssh > 172.16.8.183.45040: Flags [P.], seq 4286741935:4286741979, ack 406902535, win 291, options [nop,nop,TS val 100118667 ecr 1820098679], length 44 16:17:01.745222 IP 172.16.8.183.45040 > 172.17.11.240.ssh: Flags [.], ack 44, win 501, options [nop,nop,TS val 1820098879 ecr 100118667], length 0 16:17:01.745969 IP 172.16.8.183.58480 > dns.google.domain: 34936+ PTR? 183.8.16.172.in-addr.arpa. (43) 16:17:01.761535 IP dns.google.domain > 172.16.8.183.58480: 34936 NXDomain 0/0/0 (43) 16:17:01.761970 IP 172.16.8.183.58480 > dns.google.domain: 34885+ PTR? 240.11.17.172.in-addr.arpa. (44) 16:17:01.778366 IP dns.google.domain > 172.16.8.183.58480: 34885 NXDomain 0/0/0 (44) 16:17:01.778818 IP 172.16.8.183.58480 > dns.google.domain: 47988+ PTR? 8.8.8.8.in-addr.arpa. (38) 16:17:01.794220 IP dns.google.domain > 172.16.8.183.58480: 47988 1/0/0 PTR dns.google. (62) 16:17:01.947981 IP 172.17.11.240.ssh > 172.16.8.183.45040: Flags [P.], seq 44:104, ack 1, win 291, options [nop,nop,TS val 100118868 ecr 1820098879], length 60 16:17:01.948078 IP 172.16.8.183.45040 > 172.17.11.240.ssh: Flags [.], ack 104, win 501, options [nop,nop,TS val 1820099082 ecr 100118868], length 0 10 packets captured 10 packets received by filter 0 packets dropped by kernel
Example 4: Print output in ASCII
With the use of option -A, we can print each packet in ASCII format. It is useful when capturing web pages.
sudo tcpdump -A
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:25:36.005378 IP ip-172-31-36-121.ap-south-1.compute.internal.https > 162.158.107.162.36814: Flags [P.], seq 1507192181:1507192212, ack 1391444966, win 227, length 31 E..GZ.@.@…..$y..k…..Y..uR…P………… @.k!;..`.0.V,8A.E5….=.: 16:25:36.005444 IP ip-172-31-36-121.ap-south-1.compute.internal.https > 162.158.107.162.36814: Flags [F.], seq 31, ack 1, win 227, length 0 E..(Z.@[email protected]..$y..k…..Y…R…P……. 16:25:36.287113 IP 162.158.107.162.36814 > ip-172-31-36-121.ap-south-1.compute.internal.https: Flags [.], ack 31, win 104, length 0 E..(..@.(..q..k…$y….R…Y…P..h…. 16:25:36.287521 IP 162.158.107.162.36814 > ip-172-31-36-121.ap-south-1.compute.internal.https: Flags [R.], seq 1, ack 32, win 104, length 0 E..(..@.(..p..k…$y….R…Y…P..h….
Example 5: Readable timestamps
I don’t know whether you notice or not, but the timestamps in all the above output are not human readable. With the use of -tttt option, you can convert the timestamp in a human-readable format.
sudo tcpdump -tttt
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes 2020-02-15 16:52:36.468792 IP 172.16.8.183.48876 > 151.101.1.140.https: Flags [.], ack 79342705, win 501, options [nop,nop,TS val 160788396 ecr 2213864497], length 0 2020-02-15 16:52:36.469536 IP 172.16.8.183.58480 > dns.google.domain: 48377+ PTR? 140.1.101.151.in-addr.arpa. (44) 2020-02-15 16:52:36.489206 IP dns.google.domain > 172.16.8.183.58480: 48377 NXDomain 0/1/0 (104) 2020-02-15 16:52:36.489546 IP 172.16.8.183.58480 > dns.google.domain: 52876+ PTR? 183.8.16.172.in-addr.arpa. (43) 2020-02-15 16:52:36.505372 IP bom12s01-in-f5.1e100.net.https > 172.16.8.183.45736: Flags [P.], seq 2536084477:2536084730, ack 810527209, win 1050, options [nop,nop,TS val 3706306398 ecr 1808033774], length 253 2020-02-15 16:52:36.505399 IP 172.16.8.183.45736 > bom12s01-in-f5.1e100.net.https: Flags [.], ack 253, win 2500, options [nop,nop,TS val 1808034143 ecr 3706306398], length 0
Example 6: Save captured packets
By default, tcpdump will print the output on the screen. But if you want to save the output in a .pcap (Packate Capture) file you can use -w option where w means to write.
sudo tcpdump -w my_filename.pcap
Example 8: Reading a .pcap(Packet Capture file)
Since pcap is a format for network traffic capture file it is not human-readable. We have to use specific software or methods to read these files. Tools like tcpdump or Wireshark are most often used for this. In tcpdump option -r is used for reading the captured file.
sudo tcpdump -r my_filename.pcap
Output: reading from file my_file.pcap, link-type EN10MB (Ethernet) 17:11:10.624048 ARP, Request who-has 172.16.0.234 tell 172.16.9.234, length 46 17:11:10.869503 ARP, Request who-has 172.16.11.221 (Broadcast) tell 0.0.0.0, length 46 17:11:11.063824 IP 172.16.8.183.43838 > 172.16.0.1.http: Flags [P.], seq 2249248014:2249248649, ack 39414386, win 501, options [nop,nop,TS val 1080292761 ecr 2446281268], length 635: HTTP: POST /getstats.php HTTP/1.1 17:11:11.064046 IP 172.16.0.1.http > 172.16.8.183.43838: Flags [.], ack 635, win 508, options [nop,nop,TS val 2446284254 ecr 1080292761], length 0
Example 9: Disable naming
If you want that tcpdump will not convert IP addresses to hostnames and port numbers to services names, you should use the option -n for this.
sudo tcpdump -n
Example 10: Filter Traffic by Protocols
To filter the traffic of a specific type of protocol you can provide its name as an argument. Mainly TCP, UDP, and ICMP are used but you can use others also.
sudo tcpdump icmp
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:32:29.235906 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 1, length 64 17:32:29.252115 IP bom12s03-in-f14.1e100.net > 172.16.8.183: ICMP echo reply, id 24416, seq 1, length 64 17:32:30.237707 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 2, length 64 17:32:30.252182 IP bom12s03-in-f14.1e100.net > 172.16.8.183: ICMP echo reply, id 24416, seq 2, length 64 17:32:31.237162 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 3, length 64 17:32:31.252145 IP bom12s03-in-f14.1e100.net > 172.16.8.183: ICMP echo reply, id 24416, seq 3, length 64 17:32:32.238303 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 4, length 64
Example 11: Filter Traffic by IP Address or Hostname
Any time, when we analyze network traffic this command is used most commonly. With this command, you can capture traffic for a specific host with the use of its IP Address.
sudo tcpdump host linuxbots.com
Outout: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:35:35.093268 IP 172.16.8.183.46274 > 104.24.110.23.https: Flags [S], seq 4241842716, win 64240, options [mss 1460,sackOK,TS val 879430422 ecr 0,nop,wscale 7], length 0 17:35:35.215146 IP 104.24.110.23.https > 172.16.8.183.46274: Flags [S.], seq 3462322619, ack 4241842717, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0 17:35:35.215206 IP 172.16.8.183.46274 > 104.24.110.23.https: Flags [.], ack 1, win 502, length 0 17:35:35.215576 IP 172.16.8.183.46274 > 104.24.110.23.https: Flags [P.], seq 1:554, ack 1, win 502, length 553 17:35:35.292811 IP 104.24.110.23.https > 172.16.8.183.46274: Flags [.], ack 554, win 66, length 0
Example 12: Filter Traffic by a specific port
We can capture the traffic of a specific port using the port option.
sudo tcpdump port 80
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:39:16.064208 IP 172.16.8.183.47060 > 172.16.0.1.http: Flags [P.], seq 1963726501:1963727185, ack 2366941443, win 501, options [nop,nop,TS val 1081977725 ecr 475210608], length 684: HTTP: POST /widgets/widgets/interfaces.widget.php HTTP/1.1 17:39:16.064384 IP 172.16.0.1.http > 172.16.8.183.47060: Flags [.], ack 684, win 507, options [nop,nop,TS val 475213508 ecr 1081977725], length 0
Example 13: Filter Traffic by specific direction
tcpdump offers options like src and dst for capturing traffic of specific direction. See the examples below.
sudo tcpdump src 10.0.0.1
sudo tcpdump dst 172.16.0.1
######### using with the host option ###########
sudo tcpdump dst google.com
####### using with the port option #############
sudo tcpdump src port 80
####### using multiple options ################
sudo tcpdump -tttt -c 10 dst port 443 host google.com
Example 14: Filter Traffic by network address
With the net option, we can capture traffic of a specific network subnet.
sudo tcpdump net 172.16.0.0/16
Example 15: Filter Traffic by the port range
We can capture the traffic of a particularly given port range by using the portrange option.
sudo tcpdump portrange 0-1000
Also Read: Netplan Static IP – Configure static IP address on Ubuntu 18.04