How to use tcpdump command? Examples.

tcpdump is a useful command and has many benefits. In this post, we will look at examples of how can we use tcpdump to capture the network traffic. First we will look into installing the tcpdump utility and after  its usage.

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed,
by default, as hours, minutes, seconds, and fractions of a second since midnight

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis.

How to Install

You can install tcpdump using yum or apt package manager, depending on your distro version. In order to install tcpdump utility in CentOS or RHEL, type the following command


gt; sudo yum install tcpdump -y

Listing Available Interfaces

You can list all available interfaces on your system by using -D flag of tcpdump command.

[root@app-rh1t ~]# tcpdump -D
1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.eth2 [Up, Running]
4.eth3 [Up, Running]
5.eth4 [Up, Running]
6.any (Pseudo-device that captures on all interfaces) [Up, Running]
7.lo [Up, Running, Loopback]
8.wifi0 [Running]
9.wifi1 [Running]
10.wifi2 [Running]

Capturing Packets for an interface

In order to capture the packets for an interface, use -i <interface_name> flag. Similarly, you can limit the number of packets to be captured by using -c <number of packets to capture i.e.5> flag

[root@app-rh1t ~]# tcpdump -i ens192
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
10:28:07.244337 IP app-rh1t.remotedomain.com.ssh > wgn17028remoteHost.remotedomain.com.53876: Flags [P.], seq 3878444339:3878444375, ack 1331016960, win 326, length 36
10:28:07.244621 IP wgn17028remoteHost.remotedomain.com.53876 > app-rh1tremoteHost.remotedomain.com.ssh: Flags [.], ack 36, win 2052, length 0
10:28:07.245337 IP app-rh1tremoteHost.remotedomain.com.58764 > nfil003remoteHost.remotedomain.com.domain: 60278+ PTR? 26.62.1.10.in-addr.arpa. (41)
10:28:07.245663 IP nfil003remoteHost.remotedomain.com.domain > app-rh1tremoteHost.remotedomain.com.58764: 60278* 1/0/0 PTR wgn17028remoteHost.remotedomain.com. (76)

..... output truncated .....

17 packets captured
258 packets received by filter
179 packets dropped by kernel

Capturing packet for particular port

We can capture the traffic for a particular port using port flag and specifying the port number. For example, in the output below, we are trying to capture packets coming for port 80 on our host.

[root@app-rh1t ~]# tcpdump -i ens192 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
10:33:43.061721 IP remotehost.remoteDomain.com.61342 > app-rh1t.remoteDomain.com.http: Flags [S], seq 3667936300, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:33:46.061849 IP remotehost.remoteDomain.com.61342 > app-rh1t.remoteDomain.com.http: Flags [S], seq 3667936300, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:33:52.063023 IP remotehost.remoteDomain.com.61342 > app-rh1t.remoteDomain.com.http: Flags [S], seq 3667936300, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Capturing Packets for Destination

To capture packets from destination IP, say you want to capture packets for 8.8.8.8, use the command as follows.

[root@app-rh1t ~]# tcpdump -i ens192 dst 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
10:38:40.060509 IP app-rh1t.remoteDomain.com > google-public-dns-a.google.com: ICMP echo request, id 3210, seq 11, length 64
10:38:41.061975 IP app-rh1t.remoteDomain.com > google-public-dns-a.google.com: ICMP echo request, id 3210, seq 12, length 64
10:38:42.063290 IP app-rh1t.remoteDomain.com > google-public-dns-a.google.com: ICMP echo request, id 3210, seq 13, length 64
10:38:43.064556 IP app-rh1t.remoteDomain.com > google-public-dns-a.google.com: ICMP echo request, id 3210, seq 14, length 64
10:38:44.065688 IP app-rh1t.remoteDomain.com > google-public-dns-a.google.com: ICMP echo request, id 3210, seq 15, length 64
10:38:45.066836 IP app-rh1t.remoteDomain.com > google-public-dns-a.google.com: ICMP echo request, id 3210, seq 16, length 64

Capturing Packets for a Source

Similar to the Destination address packet capture, src flag lets you capture packets for particular source.

I hope these few commands help you to get started with tcpdump command. You are always free to checkout the man pages or other documentation to know more about utility.

Summary
How to use tcpdump command? examples.
Article Name
How to use tcpdump command? examples.
Description
tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface.
Author

Share your thoughts

*