How to use tcpdump command in examples

Tcpdump is a network troubleshooting command, also known as a packet sniffer, used to capture and display packets from the network. Tcpdump allows users to capture and display TCP / IP and other data packets transmitted or received through the network to which the computer is connected. It allows searching the output in real time by redirecting the captured data to grep, or the data can be written to a file for later searching. You can apply filters to packets and avoid unwanted traffic. To run the tcpdump command, you need root access.

You can capture all the data transmitted in your local network and store it in a file. This does not display real-time output on the screen, but captures packets on the network into the indicated file. You can save the entire packet or part of the packet (header). You can choose to capture and analyze traffic on one or more network interfaces. In this article, we will learn how to analyze traffic on a Linux machine using the tcpdump command.

table of Contents

  • 1) Analyze the traffic on all interfaces
  • 2) List the available interfaces
  • 3) Analyze specific interfaces and limit data packets
  • 4) Capture data using IP address and port
  • 5) Intercept packets from specific ports
  • 6) Intercepting packets by ignoring specific ports
  • 7) Intercept packets from specific protocols
  • 8) Log to some specific files
  • 9) Read tcpdump log file
  • 10) Capture packets with more information
  • 11) Capturing data packets from remote hosts
  • 12) Capturing the packets in the target to a remote host
  • 13) Capturing incoming and outgoing packets for a specific host
  • 14) Capture packets using port range
  • in conclusion

1) Analyze the traffic on all interfaces

Tcpdump is not installed by default, so you need to install it first

On Ubuntu 16.04 / 18.04

# apt install tcpdump

On Centos 7

# yum install tcpdump

If tcpdump is used without any options, it will analyze traffic on all interfaces.

# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:41:25.886307 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435074392:1435074508, a
ck 4135933864, win 381, options [nop,nop,TS val 3387567505 ecr 18335689], length 116
07:41:25.886932 IP li339-47.members.linode.com.49063 > resolver08.dallas.linode.com.domain: 61296+ PTR? 5.7.255.169.in-addr.arpa. (42)
07:41:26.133811 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 0, win 722, options [nop,nop,TS val 18335757 ecr 3387567484], length 0
07:41:26.133851 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 381, options [nop,nop,TS val 3387567753 ecr 18335757], length 116
07:41:26.142929 IP resolver08.dallas.linode.com.domain > li339-47.members.linode.com.49063: 61296 NXDomain 0/0/0 (42)
.....
.....
07:41:26.680521 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 2724:3132, ack 1, win 381, options [nop,nop,TS val 3387568299 ecr 18335894], length 408
^C
17 packets captured
18 packets received by filter
0 packets dropped by kernel

The format of the source is source.port, where the source can be a host name or an IP address. You can see in the first line that the packet captured at timestamp 07: 41: 25.886307 is the IP protocol, which originated from the hostname li339-47.members.linode.com and port ssh, that’s why you see li339- 47 reasons. Members.linode.com.ssh. The packet is sent to the 169.255.7.5.44284 ack flag.

You need to click the cancel button to stop it. If you need more information, tcpdump provides several options to enhance or modify its output:

  • -i interface : Listen on the specified interface.
  • -n : The host name is not resolved. you can use it -nn Does not resolve host or port names.
  • -t : Do not print timestamps on each dump line.
  • -X : Display the contents of the packet in hexadecimal and ASCII format.
  • -v, -vv, -vvv : Increase the amount of packet information you get.
  • -c N : Get only N packets and stop.
  • -s : Define the captured snapshot (size) in bytes. Use -s0 to get everything, unless you intentionally capture less.
  • -S : Print the absolute serial number.
  • -q : Show less protocol information.
  • -w file : Write raw packets to file

2) List the available interfaces

you can use it -D parameter

# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.any (Pseudo-device that captures on all interfaces)
5.lo [Loopback]

This way, you can choose which interface to use.

3) Analyze specific interfaces and limit data packets

Now you can decide to analyze the traffic on the specified interface using the following command -i Parameters and limit the number of packets to be captured -c

# tcpdump -i eth0 -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:09.186418 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435431156:1435431272, ack 4135945080, win 419, options [nop,nop,TS val 3392110805 ecr 19471515], length 116
08:57:09.186855 IP li339-47.members.linode.com.33326 > resolver08.dallas.linode.com.domain: 9787+ PTR? 5.7.255.169.in-addr.arpa. (42)
08:57:09.335228 IP 134.119.220.87.45873 > li339-47.members.linode.com.60342: Flags [S], seq 3684168813, win 1024, length 0
08:57:09.335264 IP li339-47.members.linode.com.60342 > 134.119.220.87.45873: Flags [R.], seq 0, ack 3684168814, win 0, length 0
08:57:09.378999 IP 134.119.220.87.45873 > li339-47.members.linode.com.25070: Flags [S], seq 3509221600, win 1024, length 0
5 packets captured
13 packets received by filter
0 packets dropped by kernel

4) Capture data using IP address and port

As you can see in the screenshot above, we don’t have the source’s port number and IP address. you can use it -nn In order to have it

# tcpdump -i eth0 -c 5 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:17:09.572425 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435457792:1435457908, ack 4135947356, win 419, options [nop,nop,TS val 3393311191 ecr 19771613], length 116
09:17:09.605048 IP 96.126.114.47.32887 > 204.11.201.10.123: NTPv4, Client, length 48
09:17:09.663754 IP 204.11.201.10.123 > 96.126.114.47.32887: NTPv4, Server, length 48
09:17:09.785600 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 0, win 722, options [nop,nop,TS val 19771669 ecr 3393311183], length 0
09:17:09.785646 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:700, ack 1, win 419, options [nop,nop,TS val 3393311404 ecr 19771669], length 584
5 packets captured
5 packets received by filter
0 packets dropped by kernel

5) Intercept packets from specific ports

You can decide to intercept the packets to the specified port number with the following command port parameter.

# tcpdump -i eth0 -c 5 -nn port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:27:27.773270 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435459900:1435460016, ack 4135948192, win 419, options [nop,nop,TS val 3393929392 ecr 19926162], length 116
09:27:27.773357 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 419, options [nop,nop,TS val 3393929392 ecr 19926162], length 116
09:27:28.032620 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 0, win 722, options [nop,nop,TS val 19926230 ecr 3393929384], length 0
09:27:28.032655 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:648, ack 1, win 419, options [nop,nop,TS val 3393929652 ecr 19926230], length 416
09:27:28.032668 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 116, win 722, options [nop,nop,TS val 19926230 ecr 3393929392], length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

6) Intercepting packets by ignoring specific ports

You can decide to ignore ports when intercepting packets. this is possible not port parameter

# tcpdump -i eth0 -c 5 -nn not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:15:53.784094 IP 134.119.220.87.45873 > 96.126.114.47.32724: Flags [S], seq 1210911834, win 1024, length 0
11:15:53.784139 IP 96.126.114.47.32724 > 134.119.220.87.45873: Flags [R.], seq 0, ack 1210911835, win 0, length 0
11:15:53.910633 IP 134.119.220.87.45873 > 96.126.114.47.32724: Flags [R], seq 1210911835, win 1200, length 0
11:15:53.911319 IP 134.119.220.87 > 96.126.114.47: ICMP host 134.119.220.87 unreachable - admin prohibited, length 48
11:15:56.327699 IP 134.119.220.87.45873 > 96.126.114.47.18566: Flags [S], seq 3213454109, win 1024, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

7) Intercept packets from specific protocols

You can decide to capture only icmp or tcp packets

# tcpdump -i eth0 -c 5 -nn tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:49:33.371487 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435550388:1435550504, ack 4135954104, win 438, options [nop,nop,TS val 3395254990 ecr 20257561], length 116
09:49:33.371612 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 438, options [nop,nop,TS val 3395254990 ecr 20257561], length 116
09:49:33.371788 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:452, ack 1, win 438, options [nop,nop,TS val 3395254991 ecr 20257561], length 220
09:49:33.371956 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 452:648, ack 1, win 438, options [nop,nop,TS val 3395254991 ecr 20257561], length 196
09:49:33.631626 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 116, win 722, options [nop,nop,TS val 20257629 ecr 3395254981], length 0
5 packets captured
7 packets received by filter
0 packets dropped by kernel

You just need to replace icmp with tcp

8) Log to some specific files

You can save captured packets in a file. By default, when packets are captured to a file, each packet will only hold 68 bytes of data. The rest of the information will be ignored. you can use it -s Tell tcpdump how many bytes to save per packet, and specify 0 as the packet snapshot length, and tell tcpdump to save the entire packet.

# tcpdump -i eth0 -c 5 -nn tcp -w packets-record.cap -s 0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
5 packets received by filter
0 packets dropped by kernel

9) Read tcpdump log file

You cannot use cat or less common commands to read the contents of a file holding tcpdump packets, but you need to use -r Parameters of the tcpdump command

# tcpdump -r packets-record.cap 
reading from file packets-record.cap, link-type EN10MB (Ethernet)
10:06:25.310077 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435573932:1435573976, ack 4135958592, win 457, options [nop,nop,TS val 3396266929 ecr 20510549], length 44
10:06:25.565590 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 0, win 722, options [nop,nop,TS val 20510616 ecr 3396266919], length 0
10:06:25.565633 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 44:160, ack 1, win 457, options [nop,nop,TS val 3396267184 ecr 20510616], length 116
10:06:25.570384 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 44, win 722, options [nop,nop,TS val 20510617 ecr 3396266929], length 0
10:06:25.827438 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 160, win 722, options [nop,nop,TS val 20510681 ecr 3396267184], length 0

10) Capture packets with more information

You can scan the network more deeply. You can use a combination of commands to filter what you need

# tcpdump -i eth0 -c 5 -ttttnnvvS
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 10:32:36.073756 IP (tos 0x10, ttl 64, id 14601, offset 0, flags [DF], proto TCP (6), length 96)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x8404 (incorrect -> 0x570b), seq 1435611412:1435611456, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 44
2018-04-10 10:32:36.073896 IP (tos 0x10, ttl 64, id 14602, offset 0, flags [DF], proto TCP (6), length 168)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x844c (incorrect -> 0x14ec), seq 1435611456:1435611572, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 116
2018-04-10 10:32:36.074118 IP (tos 0x10, ttl 64, id 14603, offset 0, flags [DF], proto TCP (6), length 200)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x846c (incorrect -> 0x52d8), seq 1435611572:1435611720, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 148
2018-04-10 10:32:36.083469 IP (tos 0x8, ttl 53, id 26190, offset 0, flags [none], proto ICMP (1), length 68)
    134.119.220.87 > 96.126.114.47: ICMP host 134.119.220.87 unreachable - admin prohibited, length 48
        IP (tos 0x28, ttl 48, id 23212, offset 0, flags [DF], proto TCP (6), length 40)
    96.126.114.47.47317 > 134.119.220.87.45873: Flags [R.], cksum 0x5362 (correct), seq 0, ack 96384300, win 0, length 0
2018-04-10 10:32:36.084338 IP (tos 0x0, ttl 244, id 32726, offset 0, flags [none], proto TCP (6), length 40)
    134.119.220.87.45873 > 96.126.114.47.47317: Flags [R], cksum 0x4ec2 (correct), seq 96384300, win 1200, length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel

11) Capturing data packets from remote hosts

To show only packets from a specific IP, use src parameter

# tcpdump -i eth0 -c 5 -ttttnnvvS src host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:27:28.498964 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:28:08.614258 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:28:53.621982 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:29:33.511165 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:30:13.837251 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
5 packets captured
5 packets received by filter
0 packets dropped by kernel

You can see the request packet

12) Capturing the packets in the target to a remote host

You can display only packages with specific destinations. For example, you can display the software package at the destination of the router

# tcpdump -i eth0 -c 5 -ttttnnvvS dst host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:34:15.107495 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:35:00.547492 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:35:47.907837 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:36:12.867576 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:36:39.534063 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Here you can see the reply packet

13) Capturing incoming and outgoing packets for a specific host

In the above two commands, we used src with dst Capture incoming and outgoing packets from a specific host at two different times. But it is possible to execute directly in only one command host parameter

# tcpdump -i eth0 -c 5 -ttttnnvvS host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:37:49.720992 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:37:49.725683 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:38:14.894130 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:38:14.900008 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:38:39.854051 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

You can now see the request and reply packets.

14) Capture packets using port range

A series of ports can be used to capture network traffic.

# tcpdump -i eth0 -c 3 -nns 0 portrange 20-23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:59:45.996312 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435738516:1435738632, ack 4136021820, win 875, options [nop,nop,TS val 3403067615 ecr 22210718], length 116
11:59:45.996512 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 875, options [nop,nop,TS val 3403067615 ecr 22210718], length 116
11:59:45.996728 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:452, ack 1, win 875, options [nop,nop,TS val 3403067616 ecr 22210718], length 220
3 packets captured
5 packets received by filter
0 packets dropped by kernel

in conclusion

Tcpdump provides some options to filter the traffic packets to be captured. Although packet sniffer is a useful diagnostic tool, they can also be abused. For example, an unethical individual can run a packet sniffer to capture passwords sent by others over the network. This technique can be used even if no packet sniffer is running on your sender or receiver computers, depending on your network configuration. As a result, many organizations have policies that prohibit the use of packet sniffer, except in limited circumstances.

Sidebar