Overview Of tcpdump With Examples

Overview Of tcpdump With Examples

You can view information about traffic coming and going from a given network interface using tcpdump. This diagnostic tool allows you to see packet information, that is where incoming packets come from and where outgoing packets are heading to on an interface, with some extra information. You can even save the output to a file to inspect later on. This article will demonstrate the simple examples of tcpdump.

tcpdump ​Default Behavior

Running tcpdump with no parameters will look for the first active interface it finds and displays information about packets coming in or going out of a network device until the process is either interrupted (by pressing Ctrl-C) or killed. Superuser privileges are required when using tcpdump.
$ sudo tcpdump
tcpdump without argument

Once the command is terminated, the output will show how many packets were captured, how many were actually received, and how many the kernel dropped.
tcpdump filter packets

Viewing Parameters

A different interface can be selected to view traffic information. To know which interfaces tcpdump will run with, the ‘-D’ parameter will show a list of devices that can be used as parameters.
$ sudo tcpdump -D
tcpdump select interface

Now that you have a list of usable interfaces, you can specify one to use tcpdump on.
$ sudo tcpdump -i enp0s3
tcpdump use interface

If you want to limit output to only a certain amount of packets, use the ‘-c’ (count) parameter to specify how many packets to capture and display information for before terminating itself.
$ sudo tcpdump -c 20
tcpdump c argument

More detailed information can be displayed using the ‘-v’ (verbose) parameter. Such information includes the time-to-live (TTL), the packet length, protocol, and other information useful for diagnostics. To increase the amount of output for each packet, use either the ‘-vv’ or ‘-vvv’ parameter with tcpdump.
$ sudo tcpdump -v
tcpdump v argument

$ sudo tcpdump -vv
tcpdump vv option

$ sudo tcpdump -vvv
tcpdump vvv argument

Saving To And Reading From Files

Tcpdump can save the output to a file for later viewing by tcpdump using the ‘-w’ parameter along the name of the file to write the file to. The only thing to remember is that the file created can only be read by tcpdump as it’s not in a  plain-text format.To write the tcpdump output to a file (name it anything you wish) while the output is shown on the terminal, run this:

$ sudo tcpdump -w packets.dump
tcpdump save data to file

To read this file later, use tcpdump with the ‘-r’ parameter:
$ sudo tcpdump -r packets.dump
tcpdump dump to file

Filtering Packets

Filters can also be used with tcpdump to only capture packets to and from certain hosts and/or ports, and packets that use a specific protocol (e.g. TCP or UDP). There are other, more advanced filters; however, here are just a few simpler examples:Capture only TCP packets:

$ sudo tcpdump ‘tcp’
tcpdump filtering packets

Capture only UDP packets:
$ sudo tcpdump ‘udp’
tcpdump udp port

Capture HTTP packets (typically uses port 80):
$ sudo tcpdump ‘tcp port 80’
tcpdump tcp port 80

Only capture packets traveling to or from a specific host:
$ sudo tcpdump ‘host www.linux.org’
tcpdump scan domain

Only capture HTTP packets traveling to or from a specific host:
$ sudo tcpdump ‘tcp port 80 and host www.linux.org’
tcpdump scan port 80 on domain

Conclusion

​As demonstrated, tcpdump is quite a simple and useful diagnostic tool to use for displaying and saving packet information through a network interface. By all means, take the time to play around with tcpdump further as there are other features not shown here.

Leave a Reply

Your email address will not be published. Required fields are marked *

linux system administration bootcamp