Using tcpdump Command in Linux to Analyze Network

Tcpdump is a great tool for analyzing networks and hunting down associated network problems. It captures packets as they go by and shows you what’s going on and coming in on your network. The output from the command displays on the STDOUT and can also be stored in a file.

Thanks to the developers, who have kept the Tcpdump as an open source project. It is freely available on Unix and Linux systems. Windows has a ‘Microolap TCPDUMP for Windows’ variant with an associated price tag.

tcpdump has a long list of options available for use. In this article, I'll focus on core options that are frequently used.

1. Checking the Available Interfaces

To check all the available interfaces to capture on, use the ‘-D’ flag as:

sudo tcpdump -D

This will list all the interfaces on the system including wireless and wired interfaces and others. The same functionality can also be gained with the --list-interfaces flag:

sudo tcpdump --list-interfaces

2. Capturing Packets for a Specific interface

Without using any option, Tcpdump will scan all the interfaces. The -i flag captures traffic from a specific interface:

tcpdump -i <target-interface>

Replace the target-interface with the name of the interface you want to scan. For example, in the case of the interface eth0, this command will be as:

sudo tcpdump -i eth0

Note: From now on, I'll use the eth0 or eth1 as the target interface. So wherever you see the -i flag, it will be accompanied by either the interface eth0 or eth1.

3. Presetting Capture Count

The -c flag can be used to preset the number of packets to be captured.

As an example, let’s set this value to 4 for capturing four packets. The command, in this case, will be:

sudo tcpdump -c 4 -i eth0 

If you do not specify a count, the capture operation is to be manually interrupted using the key combination ctrl+c or ctrl+z.

In the following article, I'll add the -c flag with other flags wherever required. This will help us to clearly and easily understand the output of a command.

DigitalOcean – The developer cloud
Helping millions of developers easily build, test, manage, and scale applications of any size – faster than ever before.
Get started on DigitalOcean with a $200, 60-day credit for new users.

4. Getting a Verbose Output

For getting a verbose output of a tcpdump command, you can use the -v flag:

sudo tcpdump -c 6 -v -i eth0 

You can further increase the level of verbosity using more -v flags as -vv or -vvv. This will yield more detailed output on the terminal:

sudo tcpdump -vv -i eth0 

5. Printing the Captured Data in ASCII Format

Sometimes we may require the Tcpdump output to be in HEX or ASCII format. We can work out this using the options -A for ASCII format and  -XX for both ASCII and HEX format:

sudo tcpdump -XX -i eth0

6. Capturing Packets Sent From a Specific Source IP

In case you want to inspect the traffic coming from a specific source IP address, use this command:

sudo tcpdump -i eth0 src <source-ip-address>

Let’s take the source IP as 192.168.56.11 and see the details of the traffic:

sudo tcpdump -i eth1 -c 5 src 192.168.56.11

The count 5 here will capture only the first five packets.

Check Open Ports in Linux [2 Simple Commands]
Which ports are occupied by which service? How many open ports are there? Learn to scan for open ports on your Linux system or any remote system.

7. Capturing Packets Sent to a Specific Destination IP

In case you want to inspect the traffic sent to a specific destination IP address, use the command:

sudo tcpdump -i eth0 dst <source-ip-address>

Let’s take the destination IP as 192.168.56.11 and see the details of the traffic:

sudo tcpdump -i eth1 -c 5 dst 192.168.56.11

8. Using Filtering Options with Tcpdump

It's a good approach to narrow down your captured data for inspection. This will eliminate unnecessary traffic and simplify your job. You can do this by filtering the traffic based on host, ports, protocols, and other criteria.

Let’s see some of them:

Port number

In case you want to filter traffic based on port number, say port 22, then execute the tcpdump command as:

sudo tcpdump -i eth0 port 22

This command will capture both the TCP and UDP traffic.

Protocol

Similar to the port directive, the proto directive filters the packet capture based on particular traffic. Here, you can either use the protocol name or the protocol number as the argument value:

sudo tcpdump -i eth0 proto tcp
sudo tcpdump -i eth0 proto 6

To your surprise, the two commands above are equivalent. It is because 6 is the protocol number for TCP.

Host Filter

The host argument simply filters the traffic from a specific host using its IP:

sudo tcpdump -i eth0 host 192.168.56.10

This will capture all the traffic and out from this host. Interestingly, you can apply multiple filters to your host to target a specific type of packet traffic.

For example:

sudo tcpdump -i eth1 -c 50 “(host 192.168.56.11) and (port 443 or port 80)"

Here, I have merged different filter rules into a single rule. You can see this rule is filtering http and https traffic. This is because the rule contains the filter for ports 80 and 443, the common networking ports.

9. Saving the Captured Data

If you want to store the captured data in a file, you can do it like this.

sudo tcpdump -i eth0 -c 10 -w my_capture.pcap

Keep the packet count to a smaller value; otherwise, you may have to stop the process manually.

10. Reading the Captured Data

You can use the data stored in the .pcap file for analysis with Wireshark or any other graphical network protocol analyzer.

You can read it with tcpdump itself.

tcpdump -r my_capture.pcap

The above screenshot shows the data of the above my_capture.pcap file.

Conclusion

That’s all for now. I hope you have a good idea of how to use different ways to work with tcpdump command. It is the best option when you are capturing packets from a remote headless machine.

If you want a more visual way to understand packet capture, try Wireshark.