Tcpdump is a packet sniffer for everyday use. There is a lot of packet sniffers but tcpdump differs with his general availability and ease of use. Tcpdump use libcap library which is the core library used for packet sniffing. Here we will look at general usage examples of packet sniffing. Be aware that to use tcpdump, tcpdump should have enough privilege and security mechanisms like SELinux, AppArmor should give permission. Captured data is generally written into a file with pcap extension. Pcap files can be read and parsed with popular GUI based network tool Wireshark.
Tcpdump Command Man
More detailed information can be get from tcpdump man page like below.
$ man tcpdump
List Network Interfaces with Tcpdump
On a standard Linux system, there is a lot of interfaces. I mean not just network interface also USB interfaces exists. Tcpdump can listen to USB protocol from USB interfaces and other special Kernel devices. Tcpdump numbers interfaces as optional usage. First to select interface list interfaces tcpdump can sniff and capture.
$ tcpdump -D
As we see from screenshot tcpdump can sniff 10 interfaces on this Ubuntu system. Tcpdump also gives some information about interface status like up/down and connection type. There is a special interfaces type numbered 2 which named any where all interfaces traffic can be sniffed from these interfaces
Select Network Interface For Packet Capture
To use one of the listed interfaces interface name or index can be used. Here is a special interface named any which captures all interfaces.
$ tcpdump -i 2
$ tcpdump -i ens3
Capturing Specified Port with Tcpdump
By default all network traffic is captured with the
tcpdump . This may create enormous output. If we want to only capture specific port we can use
port option. In this example we will only listen HTTP port with the
$ sudo tcpdump -i 2 "port http"
Verbose Output For Packet Capture with Tcpdump
While capturing packets only IP header information is shown. To get more details about packets verbose option should be specified.
$ tcpdump -i 2 port http -v
To see more details than current details verbosity level can be increased with the -vvv by adding new v to the option like below.
$ tcpdump -i 2 port http -vvv
It can be decreased the default verbosity to get more elegant output for the packet sniffing with option -q .
$ tcpdump -i 2 port http -q
Display Captured Packets in ASCII or Text Format
While capturing packets we may want to show them as ASCII or text. For example in HTTP traffic we can ouput HTTP headers directly to the console.
$ tcpdump -i 2 "port http" -A
Display Captured Packets In Hex Format
Another way to display captured files is Hex format.
$ tcpdump -i 2 "port http" -X
Display Port, Hosts Information In Numeric Format
By default port and ip numbers are displayed as text for example port 80 will shown as http or an ip address will shown as host name if it can be resolved. These information can be shown as numeric like below.
$ tcpdump -i 2 port http -q -n
Set Packet Count To Capture
In some situations, we want to limit captured packet count for example to identify network traffic we generally need the start of the TCP session. Specify count for captured packets here we set it to 5.
$ tcpdump -i 2 "port http" -c 5
Set Packet Size To Capture
Another similar option to limiting capture is setting total capture size for each packet. Each packet can have different sizes these options will set standard size for each packet captured. Set size for the captured packet, we set here 100 bytes this is useful when redirecting captures to the file.
$ tcpdump -i 2 "port http" -C 100
Capture Only TCP Packets
Normally all network layers protocols are saved from the Ethernet protocol to Application protocol. But only a specific layer can be captured by specifying a protocol like TCP like below.
$ tcpdump -i 2 tcp
Capture Only Udp Packets
Like Tcp packet only Udp packets can be captured like below.
$ tcpdump -i 2 udp
Capture Only Icmp Packets
This command will capture and sniff only ICMP packets.
$ tcpdump -i 2 icmp
Capture Only Arp Packets
Tcpdump have the ability to only capture Arp packets like below.
$ tcpdump -i 2 arp
Capture Only IP Packets
As shown previous example we can capture specific protocols. In this example, we will capture only IP packets.
$ tcpdump -i 2 ip
Capture Only Specified Destination IP Traffic
Another useful filter for network traffic while using tcpdump is filtering according to the destination IP address. The destination IP address can be specified with dst like below.
$ tcpdump -i 2 dst google.com
Capture Only Specified Network Traffic
We have previously filtered captured packets according to hostname. We can also use network filters to filter according to specified networks.
$ tcpdump -i 2 net 188.8.131.52/24
Capture Only Specified Port Range
Specifying multiple ports for filtering is not a practical solution. Tcpdump provides options to easily define port ranges with portrange option.
$ tcpdump -i 2 portrange 70-90
Saving Captured Packets To Pcap File
Captured packets information is printed to the console which is by default command line. If we want to save the to a file following command.Save captured files to the file named deneme.pcap . Actually there is a lot of supported capture file format but pcap is common usage. File
$ tcpdump -i 2 "port http" -w deneme.pcap
Reading Pcap Capture File
After saving capture file tcpdump can read the file and show output to the terminal with the following command.
$ tcpdump -i 2 -r deneme.pcap