Tcpdump Tutorial With Examples – POFTUT

Tcpdump Tutorial With Examples


Tcpdump is a packet sniffer for everyday use. There is a lot of packet sniffers but tcpdump differs with his general availability and ease of use. Tcpdump use libcap library which is the core library used for packet sniffing. Here we will look at general usage examples of packet sniffing. Be aware that to use tcpdump, tcpdump should have enough privilege and security mechanisms like SELinux, AppArmor should give permission. Captured data is generally written into a file with pcap extension. Pcap files can be read and parsed with popular GUI based network tool Wireshark.

Tcpdump Command Man

More detailed information can be get from tcpdump man page like below.

$ man tcpdump
Man Tcpdump
Man Tcpdump

List Network Interfaces with Tcpdump

On a standard Linux system, there is a lot of interfaces. I mean not just network interface also USB interfaces exists. Tcpdump can listen to USB protocol from USB interfaces and other special Kernel devices. Tcpdump numbers interfaces as optional usage. First to select interface list interfaces tcpdump can sniff and capture.

$ tcpdump -D
List Interfaces
List Interfaces

As we see from screenshot tcpdump can sniff 10 interfaces on this Ubuntu system. Tcpdump also gives some information about interface status like up/down and connection type. There is a special interfaces type numbered 2 which named any where all interfaces traffic can be sniffed from these interfaces

Select Network Interface For Packet Capture

To use one of the listed interfaces interface name or index can be used. Here is a special interface named any which captures all interfaces.

$ tcpdump -i 2

OR

$ tcpdump -i ens3

Capturing Specified Port with Tcpdump

By default all network traffic is captured with the tcpdump . This may create enormous output. If we want to only capture specific port we can use port option. In this example we will only listen HTTP port with the port http.

$ sudo tcpdump -i 2 "port http"
Capturing Specified Port with Tcpdump
Capturing Specified Port with Tcpdump

Verbose Output For Packet Capture with Tcpdump

While capturing packets only IP header information is shown. To get more details about packets verbose option should be specified.

$ tcpdump -i 2  port http -v
Verbose Output
Verbose Output

Increase Verbosity

To see more details than current details verbosity level can be increased with the -vvv by adding new to the option like below.

$ tcpdump -i 2  port http -vvv
Increase Verbosity
Increase Verbosity

Decrement Verbosity

It can be decreased the default verbosity to get more elegant output for the packet sniffing with option -q .

$ tcpdump -i 2  port http -q
Decrement Verbosity
Decrement Verbosity

Display Captured Packets in ASCII or Text Format

While capturing packets we may want to show them as ASCII or text. For example in HTTP traffic we can ouput HTTP headers directly to the console.

$ tcpdump -i 2  "port http" -A
Print Captured Packets ASCII or Text
Print Captured Packets ASCII or Text

Display Captured Packets In Hex Format

Another way to display captured files is Hex format.

$ tcpdump -i 2  "port http" -X
Display Captured Packets In Hex
Display Captured Packets In Hex

Display Port, Hosts Information In Numeric Format

By default port and ip numbers are displayed as text for example port 80 will shown as http or an ip address will shown as host name if it can be resolved. These information can be shown as numeric like below.

$ tcpdump -i 2  port http -q -n
Display Port, Hosts As Number
Display Port, Hosts As Number

Set Packet Count To Capture

In some situations, we want to limit captured packet count for example to identify network traffic we generally need the start of the TCP session. Specify count for captured packets here we set it to 5.

$ tcpdump -i 2  "port http" -c 5 
Set Packet Count To Capture
Set Packet Count To Capture

Set Packet Size To Capture

Another similar option to limiting capture is setting total capture size for each packet. Each packet can have different sizes these options will set standard size for each packet captured. Set size for the captured packet, we set here 100 bytes this is useful when redirecting captures to the file.

$ tcpdump -i 2 "port http" -C 100
Set Packet Size To Capture
Set Packet Size To Capture

Capture Only TCP Packets

Normally all network layers protocols are saved from the Ethernet protocol to Application protocol. But only a specific layer can be captured by specifying a protocol like TCP like below.

$ tcpdump -i 2  tcp

Capture Only Udp Packets

Like Tcp packet only Udp packets can be captured like below.

$ tcpdump -i 2  udp

Capture Only Icmp Packets

This command will capture and sniff only ICMP packets.

$ tcpdump -i 2  icmp

Capture Only Arp Packets

Tcpdump have the ability to only capture Arp packets like below.

$ tcpdump -i 2  arp

Capture Only IP Packets

As shown previous example we can capture specific protocols. In this example, we will capture only IP packets.

$ tcpdump -i 2  ip

Capture Only Specified Destination IP Traffic

Another useful filter for network traffic while using tcpdump is filtering according to the destination IP address. The destination IP address can be specified with dst  like below.

$ tcpdump -i 2  dst google.com
Capture According To Destination IP
Capture According To Destination IP

Capture Only Specified Network Traffic

We have previously filtered captured packets according to hostname. We can also use network filters to filter according to specified networks.

$ tcpdump -i 2  net 172.217.17.0/24
Capture According To Network
Capture According To Network

Capture Only Specified Port Range

Specifying multiple ports for filtering is not a practical solution. Tcpdump provides options to easily define port ranges with portrange option.

$ tcpdump -i 2  portrange 70-90
Capture According To Port Range
Capture According To Port Range

Saving Captured Packets To Pcap File

Captured packets information is printed to the console which is by default command line. If we want to save the to a file following command.Save captured files to the file named deneme.pcap . Actually there is a lot of supported capture file format but pcap is common usage. File

$ tcpdump -i 2 "port http" -w deneme.pcap
Saving Captured Packets To Pcap File
Saving Captured Packets To Pcap File

Reading Pcap Capture File

After saving capture file tcpdump can read the file and show output to the terminal with the following command.

$ tcpdump -i 2 -r deneme.pcap
Reading Pcap Capture File
Reading Pcap Capture File
 Tcpdump Tutorial With Examples Infographic
Tcpdump Tutorial With Examples Infographic

LEARN MORE  What Is Packet Sniffing with List Of Packet Sniffers?

1 thought on “Tcpdump Tutorial With Examples”

Leave a Comment