Tcpdump Examples – 15 commands you must know

Example 11: Filter Traffic by IP Address or Hostname

Any time, when we analyze network traffic this command is used most commonly. With this command, you can capture traffic for a specific host with the use of its IP Address.

sudo tcpdump host linuxbots.com
Outout:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
 17:35:35.093268 IP 172.16.8.183.46274 > 104.24.110.23.https: Flags [S], seq 4241842716, win 64240, options [mss 1460,sackOK,TS val 879430422 ecr 0,nop,wscale 7], length 0
 17:35:35.215146 IP 104.24.110.23.https > 172.16.8.183.46274: Flags [S.], seq 3462322619, ack 4241842717, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
 17:35:35.215206 IP 172.16.8.183.46274 > 104.24.110.23.https: Flags [.], ack 1, win 502, length 0
 17:35:35.215576 IP 172.16.8.183.46274 > 104.24.110.23.https: Flags [P.], seq 1:554, ack 1, win 502, length 553
 17:35:35.292811 IP 104.24.110.23.https > 172.16.8.183.46274: Flags [.], ack 554, win 66, length 0

Example 12: Filter Traffic by a specific port

We can capture the traffic of a specific port using the port option.

sudo tcpdump port 80
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
 17:39:16.064208 IP 172.16.8.183.47060 > 172.16.0.1.http: Flags [P.], seq 1963726501:1963727185, ack 2366941443, win 501, options [nop,nop,TS val 1081977725 ecr 475210608], length 684: HTTP: POST /widgets/widgets/interfaces.widget.php HTTP/1.1
 17:39:16.064384 IP 172.16.0.1.http > 172.16.8.183.47060: Flags [.], ack 684, win 507, options [nop,nop,TS val 475213508 ecr 1081977725], length 0

Example 13: Filter Traffic by specific direction

tcpdump offers options like src and dst for capturing traffic of specific direction. See the examples below.

sudo tcpdump src 10.0.0.1
sudo tcpdump dst 172.16.0.1

######### using with the host option ###########
sudo tcpdump dst google.com

####### using with the port option #############
sudo tcpdump src port 80

####### using multiple options ################
sudo tcpdump -tttt -c 10 dst port 443 host google.com

Example 14: Filter Traffic by network address

With the net option, we can capture traffic of a specific network subnet.

sudo tcpdump net 172.16.0.0/16

Example 15: Filter Traffic by the port range

We can capture the traffic of a particularly given port range by using the portrange option.

sudo tcpdump portrange 0-1000

Also Read: Netplan Static IP – Configure static IP address on Ubuntu 18.04

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *