Tcpdump Examples – 15 commands you must know

tcpdump is one of the most powerful command-line packet analyzer tools for all IT Professionals. In this tutorial, we share some practical examples of tcpdump tool which should be known by every IT Professional.

A well-known network sniffer tool for network monitoring which provides plenty of options. From analyzing live network traffic to capture specific traffic in a file, you can do all with tcpdump. Easy availability for all the operating systems, makes it more popular.

There are many other tutorials available for tcpdump on the internet but the proper explanation of commands and examples are not available. So, here we decide to document some well-explained examples of tcpdump in simple and understandable language.

Above all, let’s have a look at the history of the tcpdump tool. tcpdump was written at Lawrence Berkeley Laboratory in 1988. Official website www.tcpdump.org created in 1999.

tcpdump-examples-feature-image
tcpdump examples

Install tcpdump

Let’s start by installing tcpdump in different operating systems. use the below commands to install it.

######### For CentOS/Fedora #############
sudo yum install tcpdump

######## For Ubuntu/Debian ##############
sudo apt-get install tcpdump

######## For Arch Linux ################
sudo pacman -S tcpdump

If you have a different OS, you can download it from its Official Website.

The following are the examples of tcpdump tool.

Example 1: List all available interfaces

With option -D, we can print the list of available network interfaces on which tcpdump can capture traffic. Network interfaces with there name and a number are printed by this option. See the below command and its example output.

tcpdump -D
Output:
 1.enp0s3 [Up, Running]
 2.any (Pseudo-device that captures on all interfaces) [Up, Running]
 3.lo [Up, Running, Loopback]
 4.nflog (Linux netfilter log (NFLOG) interface)
 5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
 6.usbmon1 (USB bus number 1)
 7.usbmon2 (USB bus number 2)

Example 2: Capture traffic from a specific interface

With the use of option -i, we can capture network packets on a specific network interface. By default tcpdump searches for the lowered number interface in the system interface list.

You can provide the interface name or interface number which we get in the previous command output.

sudo tcpdump -i enp0s3

####### OR ###########

sudo tcpdump -i 1
Output:
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

Example 3: Limit number of packets capture

With the use of command option -c, we can specify the number of packets we want to capture with tcpdump.

sudo tcpdump -c 10 
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
 16:17:01.745113 IP 172.17.11.240.ssh > 172.16.8.183.45040: Flags [P.], seq 4286741935:4286741979, ack 406902535, win 291, options [nop,nop,TS val 100118667 ecr 1820098679], length 44
 16:17:01.745222 IP 172.16.8.183.45040 > 172.17.11.240.ssh: Flags [.], ack 44, win 501, options [nop,nop,TS val 1820098879 ecr 100118667], length 0
 16:17:01.745969 IP 172.16.8.183.58480 > dns.google.domain: 34936+ PTR? 183.8.16.172.in-addr.arpa. (43)
 16:17:01.761535 IP dns.google.domain > 172.16.8.183.58480: 34936 NXDomain 0/0/0 (43)
 16:17:01.761970 IP 172.16.8.183.58480 > dns.google.domain: 34885+ PTR? 240.11.17.172.in-addr.arpa. (44)
 16:17:01.778366 IP dns.google.domain > 172.16.8.183.58480: 34885 NXDomain 0/0/0 (44)
 16:17:01.778818 IP 172.16.8.183.58480 > dns.google.domain: 47988+ PTR? 8.8.8.8.in-addr.arpa. (38)
 16:17:01.794220 IP dns.google.domain > 172.16.8.183.58480: 47988 1/0/0 PTR dns.google. (62)
 16:17:01.947981 IP 172.17.11.240.ssh > 172.16.8.183.45040: Flags [P.], seq 44:104, ack 1, win 291, options [nop,nop,TS val 100118868 ecr 1820098879], length 60
 16:17:01.948078 IP 172.16.8.183.45040 > 172.17.11.240.ssh: Flags [.], ack 104, win 501, options [nop,nop,TS val 1820099082 ecr 100118868], length 0
 10 packets captured
 10 packets received by filter
 0 packets dropped by kernel

Example 4: Print output in ASCII

With the use of option -A, we can print each packet in ASCII format. It is useful when capturing web pages.

sudo tcpdump -A
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 16:25:36.005378 IP ip-172-31-36-121.ap-south-1.compute.internal.https > 162.158.107.162.36814: Flags [P.], seq 1507192181:1507192212, ack 1391444966, win 227, length 31
 E..GZ.@.@…..$y..k…..Y..uR…P………… @.k!;..`.0.V,8A.E5….=.:
 16:25:36.005444 IP ip-172-31-36-121.ap-south-1.compute.internal.https > 162.158.107.162.36814: Flags [F.], seq 31, ack 1, win 227, length 0
 E..(Z.@.@..7..$y..k…..Y…R…P…….
 16:25:36.287113 IP 162.158.107.162.36814 > ip-172-31-36-121.ap-south-1.compute.internal.https: Flags [.], ack 31, win 104, length 0
 E..(..@.(..q..k…$y….R…Y…P..h….
 16:25:36.287521 IP 162.158.107.162.36814 > ip-172-31-36-121.ap-south-1.compute.internal.https: Flags [R.], seq 1, ack 32, win 104, length 0
 E..(..@.(..p..k…$y….R…Y…P..h….

Example 5: Readable timestamps

I don’t know whether you notice or not, but the timestamps in all the above output are not human readable. With the use of -tttt option, you can convert the timestamp in a human-readable format.

sudo tcpdump -tttt
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
 2020-02-15 16:52:36.468792 IP 172.16.8.183.48876 > 151.101.1.140.https: Flags [.], ack 79342705, win 501, options [nop,nop,TS val 160788396 ecr 2213864497], length 0
 2020-02-15 16:52:36.469536 IP 172.16.8.183.58480 > dns.google.domain: 48377+ PTR? 140.1.101.151.in-addr.arpa. (44)
 2020-02-15 16:52:36.489206 IP dns.google.domain > 172.16.8.183.58480: 48377 NXDomain 0/1/0 (104)
 2020-02-15 16:52:36.489546 IP 172.16.8.183.58480 > dns.google.domain: 52876+ PTR? 183.8.16.172.in-addr.arpa. (43)
 2020-02-15 16:52:36.505372 IP bom12s01-in-f5.1e100.net.https > 172.16.8.183.45736: Flags [P.], seq 2536084477:2536084730, ack 810527209, win 1050, options [nop,nop,TS val 3706306398 ecr 1808033774], length 253
 2020-02-15 16:52:36.505399 IP 172.16.8.183.45736 > bom12s01-in-f5.1e100.net.https: Flags [.], ack 253, win 2500, options [nop,nop,TS val 1808034143 ecr 3706306398], length 0

Example 6: Save captured packets

By default, tcpdump will print the output on the screen. But if you want to save the output in a .pcap (Packate Capture) file you can use -w option where w means to write.

sudo tcpdump -w my_filename.pcap

Example 8: Reading a .pcap(Packet Capture file)

Since pcap is a format for network traffic capture file it is not human-readable. We have to use specific software or methods to read these files. Tools like tcpdump or Wireshark are most often used for this. In tcpdump option -r is used for reading the captured file.

sudo tcpdump -r my_filename.pcap
Output:
 reading from file my_file.pcap, link-type EN10MB (Ethernet)
 17:11:10.624048 ARP, Request who-has 172.16.0.234 tell 172.16.9.234, length 46
 17:11:10.869503 ARP, Request who-has 172.16.11.221 (Broadcast) tell 0.0.0.0, length 46
 17:11:11.063824 IP 172.16.8.183.43838 > 172.16.0.1.http: Flags [P.], seq 2249248014:2249248649, ack 39414386, win 501, options [nop,nop,TS val 1080292761 ecr 2446281268], length 635: HTTP: POST /getstats.php HTTP/1.1
 17:11:11.064046 IP 172.16.0.1.http > 172.16.8.183.43838: Flags [.], ack 635, win 508, options [nop,nop,TS val 2446284254 ecr 1080292761], length 0

Example 9: Disable naming

If you want that tcpdump will not convert IP addresses to hostnames and port numbers to services names, you should use the option -n for this.

sudo tcpdump -n

Example 10: Filter Traffic by Protocols

To filter the traffic of a specific type of protocol you can provide its name as an argument. Mainly TCP, UDP, and ICMP are used but you can use others also.

sudo tcpdump icmp
Output:
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes  
  17:32:29.235906 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 1, length 64  
  17:32:29.252115 IP bom12s03-in-f14.1e100.net > 172.16.8.183: ICMP echo reply, id 24416, seq 1, length 64  
  17:32:30.237707 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 2, length 64  
  17:32:30.252182 IP bom12s03-in-f14.1e100.net > 172.16.8.183: ICMP echo reply, id 24416, seq 2, length 64  
  17:32:31.237162 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 3, length 64  
  17:32:31.252145 IP bom12s03-in-f14.1e100.net > 172.16.8.183: ICMP echo reply, id 24416, seq 3, length 64  
  17:32:32.238303 IP 172.16.8.183 > bom12s03-in-f14.1e100.net: ICMP echo request, id 24416, seq 4, length 64

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *