Tcpdump Tutorial With Examples
Tcpdump is packet sniffer for everyday use. There is lot of packet sniffers but tcpdump differs with his general availability and ease of use. Tcpdump use libcap library which is the core library used for packet sniffing. Here we will look general usage examples of packet sniffing. Be aware that to use tcpdump, tcpdump should have enough privilege and security mechanisms like selinux, apparmor should give permission. Captured data is generally written into file with pcap extension. Pcap files can be read and parsed with popular GUI based network tool Wireshark.
More detailed information can be get from tcpdump man page like below.
$ man tcpdump
On a standard Linux system there is a lot of interfaces. I means not just network interface also USB interfaces exists. Tcpdump can listen USB protocol from USB interfaces and other special Kernel devices. Tcpdump numbers interfaces as optionally usage. First to select interface list interfaces tcpdump can sniff and capture.
$ tcpdump -D
As we see from screenshot tcpdump can sniff 10 interfaces on this Ubuntu system. Tcpdump also gives some information about interfaces status like up/down and connection type. There is a special interfaces type numbered 2 which named any where all interfaces traffic can be sniffed from this interfaces
To use one of listed interfaces interface name or index can be used. Here is a special interface named any which captures all interfaces.
$ tcpdump -i 2
$ tcpdump -i ens3
Capturing Specified Port with Tcpdump
By default all network traffic is captured with the
tcpdump . This may create enormous output. If we want to only capture specific port we can use
port option. In this example we will only listen HTTP port with the
$ sudo tcpdump -i 2 "port http"
While capturing packets only IP header information is shown. To get more details about packets verbose option should be specified.
$ tcpdump -i 2 port http -v
To see more details than current details verbosity level can be increased with the -vvv by addind new v to the option like below.
$ tcpdump -i 2 port http -vvv
It can be decreased the default verbosity to get more elegant output for the packet sniffing with option -q
$ tcpdump -i 2 port http -q
Display Captured Packets ASCII or Text
While capturing packets we may want to show them as ASCII or text. For example in HTTP traffic we can ouput HTTP headers directly to the console.
$ tcpdump -i 2 "port http" -A
Display Captured Packets In Hex
Another way to display captured files is Hex format.
$ tcpdump -i 2 "port http" -X
Display Port, Hosts As Number
By default port and ip numbers are displayed as text for example port 80 will shown as http or an ip address will shown as host name if it can be resolved. These information can be shown as numeric like below.
$ tcpdump -i 2 port http -q -n
Set Packet Count To Capture
In some situations we want to limit captured packet count for example to identify a network traffic we generally need start of the TCP session. Specify count for captured packets here we set it to 5
$ tcpdump -i 2 "port http" -c 5
Set Packet Size To Capture
Another similar option to limiting capture is setting total capture size for each packet. Each packet can have different sizes this options will set standard size for each packet captured. Set size for captured packet , we set here 100 byte this is useful when redirecting captures to the file.
$ tcpdump -i 2 "port http" -C 100
Capture Only Tcp Packets
Normally all network layers protocols are saved from Ethernet protocol to Application protocol. But only specific layer can be captured by specifying a protocol like TCP like below.
$ tcpdump -i 2 tcp
Capture Only Udp Packets
Like Tcp packet only Udp packets can be captured like below.
$ tcpdump -i 2 udp
Capture Only Icmp Packets
This command will capture and sniff only Icmp packets.
$ tcpdump -i 2 icmp
Capture Only Arp Packets
Tcpdump have the ability to only capture Arp packets like below.
$ tcpdump -i 2 arp
Capture Only IP Packets
As shown previous example we can capture specific protocol. In this example we will capture only IP packets.
$ tcpdump -i 2 ip
Capture According To Destination IP
Another useful filter for network traffic while using tcpdump is filtering according to destination IP address. Destination IP address can be specified with dst like below.
$ tcpdump -i 2 dst google.com
Capture According To Network
We have previously filtered captured packets according to host name. We can also use network filters to filter according to specified networks.
$ tcpdump -i 2 net 18.104.22.168/24
Capture According To Port Range
Specifying multiple ports for filtering is not a practical solution. Tcpdump provides options to easily define port ranges with portrange option.
$ tcpdump -i 2 portrange 70-90
Saving Captured Packets To Pcap File
Captured packets information is printed to the console which is by default command line. If we want to save the to a file following command.Save captured files to the file named deneme.pcap . Actually there is a lot of supported capture file format but pcap is common usage. File
$ tcpdump -i 2 "port http" -w deneme.pcap
Reading Pcap Capture File
After saving capture file tcpdump can read the file and show output to the terminal with the following command.
$ tcpdump -i 2 -r deneme.pcap