Introduction
tcpdump
is a command-line tool for capturing and inspecting network traffic flowing into and out of your system. It is the most often used tool for network troubleshooting and security testing among network administrators.
tcpdump
can also capture non-TCP traffic such as UDP, ARP, or ICMP, despite its name. The packets captured can be saved to a file or sent to a standard output. The ability to employ filters and capture only the data you want to analyze is one of the most powerful aspects of the tcpdump
command.
In this tutorial, we'll go through the basics of using the tcpdump
command in Linux. We will also address a few FAQs on tcpdump command in Linux.
Installing tcpdump
Most Linux distributions and macOS come with tcpdump
pre-installed. Type the following command to see if the tcpdump
tool is available on your system:
tcpdump --version
You will get an output like below:
Output
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.1.1b 26 Feb 2019
The command above will print "tcpdump: command not found" if tcpdump is not installed on your system. Using your distro's package manager, you can easily install tcpdump
.
Installing tcpdump
on Ubuntu and Debian
sudo apt update && sudo apt install tcpdump
Installing tcpdump
on CentOS and Fedora
sudo yum install tcpdump
Installing tcpdump
on Arch Linux
sudo pacman -S tcpdump
Capturing Packets with tcpdump
The tcpdump
command has the following general syntax:
tcpdump [options] [expression]
- The command
options
allow you to control the command's behavior. - Which packets will be intercepted is determined by the filter
expression
.
tcpdump
can only be run by root or a user with sudo access. You'll get an error if you try to run the command as an unprivileged user: "You don't have authorization to capture on that device."
Invoking tcpdump
without any parameters or filters is the most basic use case:
sudo tcpdump
Output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:24.248737 IP vegastack-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248785 IP vegastack-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36
15:47:24.248828 IP vegastack-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
... Long output suppressed
23116 packets captured
23300 packets received by filter
184 packets dropped by kernel
Until an interrupt signal is received, tcpdump
will continue to capture packets and write to the standard output. Send an interrupt signal and stop the command with the Ctrl+C
key combination.
Pass the -v
option for more verbose output, or -vv
for even more verbose output:
sudo tcpdump -vv
The -c
option allows you to select the number of packets to capture. For example, if you only want to capture ten packets, type:
sudo tcpdump -c 10
tcpdump
will exit after capturing the packets.
If no interface is supplied, tcpdump
utilizes the first interface it discovers and dumps all packets that pass over it.
To produce a list of all available network interfaces from which tcpdump
may gather packets, use the -D
option:
sudo tcpdump -D
The command produces the interface name, a brief description, and the corresponding index (number) for each interface:
Output
1.ens3 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
When no interface is specified to the command, ens3
is the first interface identified by tcpdump
and used. The second interface any
is a unique gadget that allows you to record all currently active interfaces.
Invoke the command with the -i
option followed by the interface name or the related index to specify the interface on which you want to capture traffic. To capture all packets from all interfaces, for example, you would specify any
interface:
sudo tcpdump -i any
By default, tcpdump
resolves IP addresses using reverse DNS and converts port numbers to names. To turn off the translation, use the -n
option:
sudo tcpdump -n
By skipping the DNS lookup, less DNS traffic is generated, and the output is more understandable. When using tcpdump
, it is suggested that you utilize this option.
Instead of displaying the output on the screen, use the redirection operators >
and >>
to save it to a file:
sudo tcpdump -n -i any > file.out
You can also use the tee command to monitor the data while saving it to a file:
sudo tcpdump -n -l | tee file.out
The -l
argument in the previous command tells tcpdump
to buffer the output line. And this option is not selected, when a new line is formed, the output is not written to the screen.
Understanding the tcpdump
Output
Each collected packet's information is output on a separate line by tcpdump
. Depending on the protocol, each line contains a timestamp as well as information about the packet.
The following is a common TCP protocol line format:
[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]
Let's go over each field one at a time and explain the following line:
15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248737
- The captured packet's timestamp is in local time and is formatted as follows:hours:minutes:seconds.frac
, wherefrac
is the number of fractions of a second that have passed since midnight.IP
- Stands for Internet Protocol. In this case, IP stands for Internet Protocol Version 4 (IPv4).192.168.1.185.22
- The source IP address and port, separated by a dot(.
).192.168.1.150.37445
- A dot separates the destination IP address and port (.).Flags [P.]
- TCP Flags field.[P.]
stands for Push Acknowledgment packet, which is used to acknowledge the previous packet and transfer data in this case. The following are some examples of typical flag field values:
1) [.] - ACK (Acknowledgment)
2) [S] - SYN (Start Connection)
3) [P] - PSH (Push Data)
4) [F] - FIN (Finish Connection)
5) [R] - RST (Reset Connection)
6) [S.] - SYN-ACK (SynAcK Packet)
seq 201747193:201747301
- Thefirst:last
notation is used to represent the sequence number. It displays the amount of data in the packet. Except for the first packet in the data stream, which uses absolute byte positions, the rest of the packets use relative byte positions. The number201747193:201747301
in this case indicates that this packet contains bytes201747193 to 201747301
from the data stream. To output absolute sequence numbers, use the-S
option.ack 1226568763
- The sequence number of the next data expected by the other end of this connection is the acknowledgment number.win 402
- The receiving buffer's window number is the total amount of bytes available.options [nop,nop,TS val 1051794587 ecr 2679218230]
- Options for TCP. The padding required to make the TCP header multiple of four bytes is known asnop
, or "no operation." A TCP timestamp isTS val
, and an echo reply isecr
. For additional information on TCP options, see the IANA documentation.length 108
- The size of the payload data.
tcpdump Filters
When tcpdump
is run without any filters, it collects all traffic and generates a massive volume of data, making it difficult to locate and analyze the packets of interest.
One of the most powerful aspects of the tcpdump
command is filters. They are useful because they allow you to capture just packets that meet the expression. When diagnosing issues with a webserver, for example, you can use filters to acquire only HTTP traffic.
tcpdump
filters collected packets using the Berkeley Packet Filter (BPF) syntax, which includes protocols, source and destination IP addresses and ports, and more.
We'll look at some of the most prevalent filters in this article. Check out pcap-filter page for a complete list of all available filters.
Filtering by Protocol
Specify the protocol as a filter to limit the capture to that protocol. To capture only UDP traffic, for example, you would run:
sudo tcpdump -n udp
The proto
qualifier, followed by the protocol number, is another way to specify the protocol. The following command will filter protocol 17 and produce the same result as the previous command:
sudo tcpdump -n proto 17
Check out the IP protocol numbers list for further information on the numbers.
Filtering by Host
Use the host qualifier to capture only packets related to a certain host:
sudo tcpdump -n host 192.168.1.185
An IP address or a name can be used as the host.
The net
qualifier can also be used to limit the output to a certain IP range. To dump only packets pertaining to 10.10.0.0/16
, for example, type:
sudo tcpdump -n net 10.10
Filtering by Port
Use the port
qualifier to collect just packets from or to a certain port. Using the command below, you can capture packets relating to the SSH (port 22) service:
sudo tcpdump -n port 23
You can use the portrange
qualifier to gather traffic from a variety of ports:
sudo tcpdump -n portrange 110-150
Filtering by Source and Destination
You may also use the are src
, dst
, src and dst
, and src or dst
qualifiers to filter packets based on the source or destination port or host.
Coming packets from a host with IP 192.168.1.185 are captured using the following command:
sudo tcpdump -n src host 192.168.1.185
You can use the following commands to find traffic flowing from any source to port 80:
sudo tcpdump -n dst port 80
Complex Filters
The and and
(&&
), or
(||
), and not
(!
) operators can be used to combine filters.
To capture all HTTP traffic from the source IP address 192.168.1.185, for example, execute the following command:
sudo tcpdump -n src 192.168.1.185 and tcp port 80
Parentheses can also be used to group and create more complicated filters:
sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'
When using special characters, surround the filters in single quotes to avoid parsing issues.
Another example command to capture all communication from a source IP address of 192.168.1.185, except SSH:
sudo tcpdump -n src 192.168.1.185 and not dst port 22
Packet Inspection
tcpdump
collects only the packet headers by default. However, you may need to inspect the contents of the packets on occasion.
You may use tcpdump
to print the contents of packets in ASCII and HEX.
The -A
option instructs tcpdump
to print each packet in ASCII, while the -x
option instructs tcpdump
to print each packet in HEX:
sudo tcpdump -n -A
Use the -X
option to display the contents of the packet in both HEX and ASCII:
sudo tcpdump -n -X
Reading and Writing Captures to a File
The ability to write packets to a file is another useful feature of tcpdump
. When recording a huge number of packets or capturing packets for subsequent examination, this comes in handy.
Use the -w
option followed by the output capture file to begin writing to a file:
sudo tcpdump -n -w data.pcap
The capture will be saved to a file named data.pcap
using the command above. You can name the file whatever you wish, but the .pcap
extension is a typical convention (packet capture).
The output is not displayed on the screen when the -w
option is used. tcpdump
produces a binary file that cannot be read with a conventional text editor and writes raw packets.
Invoke tcpdump
with the -r
option to inspect the contents of the file:
sudo tcpdump -r data.pcap
Add the ampersand sign (&
) at the end of the command to run tcpdump
in the background.
Other packet analyzer software, such as Wireshark, can inspect the capture file.
You can enable file rotation while recording packets over an extended period of time. You can use tcpdump
to produce new files and rotate the dump file based on a time interval or a defined size. Before overwriting previous files, the following command will produce up to ten 200MB files named file.pcap0
, file.pcap1
, and so on.
sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap
The older files will be overwritten once ten files have been generated.
Please keep in mind that you should only use tcpdump to troubleshoot problems.
You can use a cronjob to start tcpdump
at a predetermined time. tcpdump
does not provide an option to exit after a certain amount of time has passed. To end tcpdump
after a certain amount of time, use the timeout command. To leave after 5 minutes, for example, you might type:
sudo timeout 300 tcpdump -n -w data.pcap
FAQs on tcpdump Command in Linux
How do I use the tcpdump
command?
To use tcpdump
, open a terminal and run tcpdump
followed by different options and filters. For example, sudo tcpdump -i eth0
captures packets on the eth0 network interface. You can include additional options and filters to refine the capture as needed.
What kind of information can tcpdump
capture?
tcpdump
can capture various types of information from network packets, including source and destination IP addresses, ports, protocols, packet sizes, timestamps, and payload data. It provides insights into network traffic characteristics, helping with troubleshooting, network analysis, or security auditing tasks.
Can the tcpdump
command capture packets on multiple network interfaces simultaneously?
Yes, the tcpdump
command can capture packets on multiple network interfaces simultaneously. Specify multiple interfaces using the -i
option, such as sudo tcpdump -i eth0 -i eth1
, to capture network traffic from both eth0 and eth1 interfaces.
How can I save captured packets to a file using tcpdump
?
To save captured packets to a file, use the -w
option followed by the desired file name. For example, sudo tcpdump -i eth0 -w capture.pcap
will save the captured packets to a file named "capture.pcap". You can later analyze the file using tcpdump
or other tools.
Can tcpdump
filter captured packets based on specific criteria?
Yes, tcpdump
allows you to filter captured packets based on specific criteria using filters. You can use various filter options such as source/destination IP addresses, ports, protocols, packet size, and more. For example, sudo tcpdump port 80
will capture only packets with a destination or source port of 80 (HTTP).
Can I read and analyze existing packet capture files with tcpdump
?
Yes, tcpdump
can read previously captured packet capture files. Use the -r
option followed by the file name to read and analyze a capture file. For example, tcpdump -r capture.pcap
will display the captured packets from the "capture.pcap" file.
Can tcpdump
capture packets based on a specific protocol?
Yes, tcpdump
can capture packets based on a specific protocol. Use the appropriate protocol option followed by the desired filter value. For example, sudo tcpdump icmp
captures only ICMP (ping) packets, while sudo tcpdump udp
captures only UDP packets.
Conclusion
tcpdump
is a command-line application for diagnosing and analyzing network issues.
This tutorial, covered the fundamentals of tcpdump
syntax and usage. Visit the tcpdump
website for more detailed information.
If you have any queries, please leave a comment below and we’ll be happy to respond to them.