Tcpdump Command in Linux

Introduction

tcpdump is a command-line tool for capturing and inspecting network traffic flowing into and out of your system. It is the most often used tool for network troubleshooting and security testing among network administrators.

tcpdump can also capture non-TCP traffic such as UDP, ARP, or ICMP, despite its name. The packets captured can be saved to a file or sent to a standard output. The ability to employ filters and capture only the data you want to analyze is one of the most powerful aspects of the tcpdump command.

In this tutorial, we'll go through the basics of using the tcpdump command in Linux. We will also address a few FAQs on tcpdump command in Linux.

Installing tcpdump

Most Linux distributions and macOS come with tcpdump pre-installed. Type the following command to see if the tcpdump tool is available on your system:

tcpdump --version

You will get an output like below:

Output

tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.1.1b  26 Feb 2019

The command above will print "tcpdump: command not found" if tcpdump is not installed on your system. Using your distro's package manager, you can easily install tcpdump.

Installing tcpdump on Ubuntu and Debian

sudo apt update && sudo apt install tcpdump

Installing tcpdump on CentOS and Fedora

sudo yum install tcpdump

Installing tcpdump on Arch Linux

sudo pacman -S tcpdump

Capturing Packets with tcpdump

The tcpdump command has the following general syntax:

tcpdump [options] [expression]
  • The command options allow you to control the command's behavior.
  • Which packets will be intercepted is determined by the filter expression.

tcpdump can only be run by root or a user with sudo access. You'll get an error if you try to run the command as an unprivileged user: "You don't have authorization to capture on that device."

Invoking tcpdump without any parameters or filters is the most basic use case:

sudo tcpdump
Output

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:24.248737 IP vegastack-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248785 IP vegastack-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36
15:47:24.248828 IP vegastack-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

... Long output suppressed

23116 packets captured
23300 packets received by filter
184 packets dropped by kernel

Until an interrupt signal is received, tcpdump will continue to capture packets and write to the standard output. Send an interrupt signal and stop the command with the Ctrl+C key combination.

Pass the -v option for more verbose output, or -vv for even more verbose output:

sudo tcpdump -vv

The -c option allows you to select the number of packets to capture. For example, if you only want to capture ten packets, type:

sudo tcpdump -c 10

tcpdump will exit after capturing the packets.

If no interface is supplied, tcpdump utilizes the first interface it discovers and dumps all packets that pass over it.

To produce a list of all available network interfaces from which tcpdump may gather packets, use the -D option:

sudo tcpdump -D

The command produces the interface name, a brief description, and the corresponding index (number) for each interface:

Output

1.ens3 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]

When no interface is specified to the command, ens3 is the first interface identified by tcpdump and used. The second interface any is a unique gadget that allows you to record all currently active interfaces.

Invoke the command with the -i option followed by the interface name or the related index to specify the interface on which you want to capture traffic. To capture all packets from all interfaces, for example, you would specify any interface:

sudo tcpdump -i any

By default, tcpdump resolves IP addresses using reverse DNS and converts port numbers to names. To turn off the translation, use the -n option:

sudo tcpdump -n

By skipping the DNS lookup, less DNS traffic is generated, and the output is more understandable. When using tcpdump, it is suggested that you utilize this option.

Instead of displaying the output on the screen, use the redirection operators > and >> to save it to a file:

sudo tcpdump -n -i any > file.out

You can also use the tee command to monitor the data while saving it to a file:

sudo tcpdump -n -l | tee file.out

The -l argument in the previous command tells tcpdump to buffer the output line. And this option is not selected, when a new line is formed, the output is not written to the screen.

Understanding the tcpdump Output

Each collected packet's information is output on a separate line by tcpdump. Depending on the protocol, each line contains a timestamp as well as information about the packet.

The following is a common TCP protocol line format:

[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]

Let's go over each field one at a time and explain the following line:

15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
  • 15:47:24.248737 - The captured packet's timestamp is in local time and is formatted as follows: hours:minutes:seconds.frac, where frac is the number of fractions of a second that have passed since midnight.
  • IP - Stands for Internet Protocol. In this case, IP stands for Internet Protocol Version 4 (IPv4).
  • 192.168.1.185.22 - The source IP address and port, separated by a dot(.).
  • 192.168.1.150.37445 - A dot separates the destination IP address and port (.).
  • Flags [P.] - TCP Flags field. [P.] stands for Push Acknowledgment packet, which is used to acknowledge the previous packet and transfer data in this case. The following are some examples of typical flag field values:

   1) [.] - ACK (Acknowledgment)

   2) [S] - SYN (Start Connection)

   3) [P] - PSH (Push Data)

   4) [F] - FIN (Finish Connection)

   5) [R] - RST (Reset Connection)

   6) [S.] - SYN-ACK (SynAcK Packet)

  • seq 201747193:201747301 - The first:last notation is used to represent the sequence number. It displays the amount of data in the packet. Except for the first packet in the data stream, which uses absolute byte positions, the rest of the packets use relative byte positions. The number 201747193:201747301 in this case indicates that this packet contains bytes 201747193 to 201747301 from the data stream. To output absolute sequence numbers, use the -S option.
  • ack 1226568763 - The sequence number of the next data expected by the other end of this connection is the acknowledgment number.
  • win 402 - The receiving buffer's window number is the total amount of bytes available.
  • options [nop,nop,TS val 1051794587 ecr 2679218230] - Options for TCP. The padding required to make the TCP header multiple of four bytes is known as nop, or "no operation." A TCP timestamp is TS val, and an echo reply is ecr. For additional information on TCP options, see the IANA documentation.
  • length 108 - The size of the payload data.

tcpdump Filters

When tcpdump is run without any filters, it collects all traffic and generates a massive volume of data, making it difficult to locate and analyze the packets of interest.

One of the most powerful aspects of the tcpdump command is filters. They are useful because they allow you to capture just packets that meet the expression. When diagnosing issues with a webserver, for example, you can use filters to acquire only HTTP traffic.

tcpdump filters collected packets using the Berkeley Packet Filter (BPF) syntax, which includes protocols, source and destination IP addresses and ports, and more.

We'll look at some of the most prevalent filters in this article. Check out pcap-filter page for a complete list of all available filters.

Filtering by Protocol

Specify the protocol as a filter to limit the capture to that protocol. To capture only UDP traffic, for example, you would run:

sudo tcpdump -n udp

The proto qualifier, followed by the protocol number, is another way to specify the protocol. The following command will filter protocol 17 and produce the same result as the previous command:

sudo tcpdump -n proto 17

Check out the IP protocol numbers list for further information on the numbers.

Filtering by Host

Use the host qualifier to capture only packets related to a certain host:

sudo tcpdump -n host 192.168.1.185

An IP address or a name can be used as the host.

The net qualifier can also be used to limit the output to a certain IP range. To dump only packets pertaining to 10.10.0.0/16, for example, type:

sudo tcpdump -n net 10.10

Filtering by Port

Use the port qualifier to collect just packets from or to a certain port. Using the command below, you can capture packets relating to the SSH (port 22) service:

sudo tcpdump -n port 23

You can use the portrange qualifier to gather traffic from a variety of ports:

sudo tcpdump -n portrange 110-150

Filtering by Source and Destination

You may also use the are src, dst, src and dst, and src or dst qualifiers to filter packets based on the source or destination port or host.

Coming packets from a host with IP 192.168.1.185 are captured using the following command:

sudo tcpdump -n src host 192.168.1.185

You can use the following commands to find traffic flowing from any source to port 80:

sudo tcpdump -n dst port 80

Complex Filters

The and and (&&), or (||), and not (!) operators can be used to combine filters.

To capture all HTTP traffic from the source IP address 192.168.1.185, for example, execute the following command:

sudo tcpdump -n src 192.168.1.185 and tcp port 80

Parentheses can also be used to group and create more complicated filters:

sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'

When using special characters, surround the filters in single quotes to avoid parsing issues.

Another example command to capture all communication from a source IP address of 192.168.1.185, except SSH:

sudo tcpdump -n src 192.168.1.185 and not dst port 22

Packet Inspection

tcpdump collects only the packet headers by default. However, you may need to inspect the contents of the packets on occasion.

You may use tcpdump to print the contents of packets in ASCII and HEX.

The -A option instructs tcpdump to print each packet in ASCII, while the -x option instructs tcpdump to print each packet in HEX:

sudo tcpdump -n -A

Use the -X option to display the contents of the packet in both HEX and ASCII:

sudo tcpdump -n -X

Reading and Writing Captures to a File

The ability to write packets to a file is another useful feature of tcpdump. When recording a huge number of packets or capturing packets for subsequent examination, this comes in handy.

Use the -w option followed by the output capture file to begin writing to a file:

sudo tcpdump -n -w data.pcap

The capture will be saved to a file named data.pcap using the command above. You can name the file whatever you wish, but the .pcap extension is a typical convention (packet capture).

The output is not displayed on the screen when the -w option is used. tcpdump produces a binary file that cannot be read with a conventional text editor and writes raw packets.

Invoke tcpdump with the -r option to inspect the contents of the file:

sudo tcpdump -r data.pcap

Add the ampersand sign (&) at the end of the command to run tcpdump in the background.

Other packet analyzer software, such as Wireshark, can inspect the capture file.

You can enable file rotation while recording packets over an extended period of time. You can use tcpdump to produce new files and rotate the dump file based on a time interval or a defined size. Before overwriting previous files, the following command will produce up to ten 200MB files named file.pcap0, file.pcap1, and so on.

sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap

The older files will be overwritten once ten files have been generated.

Please keep in mind that you should only use tcpdump to troubleshoot problems.

You can use a cronjob to start tcpdump at a predetermined time. tcpdump does not provide an option to exit after a certain amount of time has passed. To end tcpdump after a certain amount of time, use the timeout command. To leave after 5 minutes, for example, you might type:

sudo timeout 300 tcpdump -n -w data.pcap

FAQs on tcpdump Command in Linux

How do I use the tcpdump command? 

To use tcpdump, open a terminal and run tcpdump followed by different options and filters. For example, sudo tcpdump -i eth0 captures packets on the eth0 network interface. You can include additional options and filters to refine the capture as needed.

What kind of information can tcpdump capture?

tcpdump can capture various types of information from network packets, including source and destination IP addresses, ports, protocols, packet sizes, timestamps, and payload data. It provides insights into network traffic characteristics, helping with troubleshooting, network analysis, or security auditing tasks.

Can the tcpdump command capture packets on multiple network interfaces simultaneously? 

Yes, the tcpdump command can capture packets on multiple network interfaces simultaneously. Specify multiple interfaces using the -i option, such as sudo tcpdump -i eth0 -i eth1, to capture network traffic from both eth0 and eth1 interfaces.

How can I save captured packets to a file using tcpdump? 

To save captured packets to a file, use the -w option followed by the desired file name. For example, sudo tcpdump -i eth0 -w capture.pcap will save the captured packets to a file named "capture.pcap". You can later analyze the file using tcpdump or other tools.

Can tcpdump filter captured packets based on specific criteria? 

Yes, tcpdump allows you to filter captured packets based on specific criteria using filters. You can use various filter options such as source/destination IP addresses, ports, protocols, packet size, and more. For example, sudo tcpdump port 80 will capture only packets with a destination or source port of 80 (HTTP).

Can I read and analyze existing packet capture files with tcpdump? 

Yes, tcpdump can read previously captured packet capture files. Use the -r option followed by the file name to read and analyze a capture file. For example, tcpdump -r capture.pcap will display the captured packets from the "capture.pcap" file.

Can tcpdump capture packets based on a specific protocol? 

Yes, tcpdump can capture packets based on a specific protocol. Use the appropriate protocol option followed by the desired filter value. For example, sudo tcpdump icmp captures only ICMP (ping) packets, while sudo tcpdump udp captures only UDP packets.

Conclusion

tcpdump is a command-line application for diagnosing and analyzing network issues.

This tutorial, covered the fundamentals of tcpdump syntax and usage. Visit the tcpdump website for more detailed information.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.