tcpdump It is a command line utility that you can use to capture and inspect network traffic to and from your system.
tcpdump is the most widely used tool among security experts or network administrators for network troubleshooting and security testing.
Regardless of the name, with
tcpdumpYou can also capture non-TCP traffic such as UDP, ARP, or ICMP. The extracted packages can be written into a standard output or file.
One of the most powerful features of the command
tcpdump It’s its ability to use filters and capture only the data that you want to analyze.
In this article, we’ll cover the basics of how to use commands
tcpdump On Linux.
Tcpdump is installed by default on most Linux and macOS distributions. To check if the tcpdump command is available for your system type:
The output will look like this:
tcpdump version 4.9.2 libpcap version 1.8.1 OpenSSL 1.1.1b 26 Feb 2019
If tcpdump is not on your system then the above command will printtcpdump: command not foundYou can easily install tcpdump using your distro’s package manager.
Install tcpdump on Ubuntu and Debian
sudo apt update && sudo apt install tcpdump
Install tcpdump on CentOS and Fedora
sudo yum install tcpdump
Install tcpdump on Arch Linux
sudo pacman -S tcpdump
How to capture packets using tcpdump
The general syntax for the tcpdump command is as follows:
tcpdump [options] [expression]
optionsIt allows you to control tcpdump behavior when retrieving data.
expressionDetermine the package to be recovered.
Only root or user with rights
sudo Which can run tcpdump. If you try to run the command as a user who does not have sudo / root privileges, you will get an error message: “You do not have permission to take pictures on this device“.
The simplest use case is operation
tcpdump Without any options and filters:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes 15:47:24.248737 IP linuxid-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108 15:47:24.248785 IP linuxid-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36 15:47:24.248828 IP linuxid-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108 ... Long output suppressed 23116 packets captured 23300 packets received by filter 184 packets dropped by kernel
Tcpdump will continue capturing packets and writing to standard output until it receives an interrupt signal. Use key combinations
Ctrl + C To send interrupt signals and stop orders.
For more verbose output, provide options
-vv For more prolonged output:
sudo tcpdump -vv
You can specify the number of packets to capture using the options
-c. For example, to pick up only ten packages, then the command you would type:
sudo tcpdump -c 10
After you pick up the package,
tcpdump It will stop automatically.
When an interface is not specified,
tcpdump Uses the first interface it finds and dumps all packages through that interface.
Use the options
-D To print a list of all available network interfaces that tcpdump can fetch:
sudo tcpdump -D
For each interface, the command prints the interface name, a short description, and the associated index (number):
1.ens3 [Up, Running] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback]
The above output illustrates this
ens3 It is the first interface that he invented
tcpdump It is used when an interface for the command is not provided. The second interface
any, Is a special tool that allows you to capture all active interfaces.
To select an interface in which you want to capture traffic, activate the command with options
-i Followed by the name of the interface or the associated index. For example, to retrieve all packets from all interfaces, the interface you choose to capture data is the interface
sudo tcpdump -i any
By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into hostnames. Use the -n option to disable the translation feature:
sudo tcpdump -n
With the skip DNS lookup, tcpdump will not generate DNS traffic data and make the output easier to read. This option is recommended every time you run tcpdump.
Instead of displaying the output on the screen, you can redirect to a file using the redirect operator
> And the
sudo tcpdump -n -i any > file.out
You can also view data in real time while saving to a file using commands
sudo tcpdump -n -l | tee file.out
-l In the above command it tells tcpdump to create a stored output line. When not using this option, the output will not be displayed on the screen when creating a new line.
Understand the output of the tcpdump command
Tcpdump displays information about each package fetched on a new line. Each line includes a timestamp and packet information, depending on the protocol.
The general format of a TCP line is as follows:
[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]
Let us study it field by field and clarify the following lines:
15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248737– The timestamp for captured packets is in local time and uses the following format:
jam:menit:detik.frac, Where frac is a fraction of seconds since midnight.
IPPacket Protocol. In this case, IP stands for Internet Protocol version 4 (IPv4).
192.168.1.185.22– IP and source (local) address (the port is separated by periods)
192.168.1.150.37445– The IP address and the destination port are separated by periods (
Flags [P.]– TCP flags field. In this example, [P.] Means package Pay acknowledgment, Which is used to confirm previous packets and send data. Other signal values are as follows:
- [.] ACK (Acknowledgment)
- [S] – SYN (login)
- [P] PSH (Payment Data)
- [F] – FIN (end connection)
- [R] – RST (call reset)
- [S.] – SYN-ACK (SynAcK package)
seq 201747193:201747301Shows how much data is in the package. With the exception of the first packet in the data stream where these numbers are absolute, all subsequent packets are used as relative byte positions. In this example, the numbers are
201747193:201747301, Which means that this package contains 201747193 to 201747301 bytes of data stream. Use the options
-STo print the absolute sequence numbers.
ack 1226568763– Acknowledgment number is the next data sequence number the other party expects from this connection.
win 402– The window number is the number of bytes available in the receiver buffer.
options [nop,nop,TS val 1051794587 ecr 2679218230]TCP option.
nopOr “No processIt is the padding used to make the TCP header more than 4 bytes.
TS valIs TCP’s timestamp
ecrStands for echo response. Visit the IANA Documentation for more information on TCP options.
length 108– The length of the load data
When tcpdump runs without filtering, it captures all traffic and generates a great deal of output making it very difficult to find and analyze packages of interest.
Filters are one of the most powerful features of the tcpdump command. The filter function allows you to capture only the packets that match the expression you want. For example, when troubleshooting problems with a web server, you can use filters to get HTTP traffic only.
The tcpdump program uses the Berkeley Packet Filter (BPF) architecture to filter captured packets using various processing parameters such as IP addresses, ports, source, destination, etc.
In this article, we’ll look at some of the more popular filters. For a list of all available filters, check out the pcap-filter guide page.
Tcpdump filter by protocol
To limit the capture to a specific protocol, specify the protocol as a filter. For example, to capture only UDP traffic, the command you’ll use:
sudo tcpdump -n udp
Another way to define a protocol is to use a qualifier
proto, Followed by the protocol number. The following command will filter protocol # 17 and produce the same result as mentioned above:
sudo tcpdump -n proto 17
For more information on these numbers, check out the list of IP Protocol numbers on Wikipedia.
The host-based tcpdump filter
To capture only packets associated with a specific host, use the host qualifier:
sudo tcpdump -n host 192.168.1.185
The host can be either an IP address or a name.
You can also filter the output to a specific IP range with a qualifier
net. For example, to remove the package linked to
10.10.0.0/16, Then the command you’ll use:
sudo tcpdump -n net 10.10
Tcpdump filter by port
To restrict capture only to packets from or to
port Selected, use port qualifier. The command below captures packets associated with the SSH service (port 22) with the following command:
sudo tcpdump -n port 23
portrange It allows you to capture traffic on multiple ports:
sudo tcpdump -n portrange 110-150
Filter by source and destination
You can also filter packets by source, destination port, or host with a qualifier
src dan dstAnd and
src atau dst
The following command captures packets arriving from the host using IP 192.168.1.185:
sudo tcpdump -n src host 192.168.1.185
To find the traffic coming from any source to port 80, you can use the command:
sudo tcpdump -n dst port 80
Filters can be combined using operators
||) And the
For example, to capture all HTTP traffic originating from the source IP address 192.168.1.185, you can use this command:
sudo tcpdump -n src 192.168.1.185 and tcp port 80
You can also use parentheses to group and create more complex filters:
sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'
To avoid parsing errors when using special characters, surround the filter with single quotation marks (
Here is an example of another command to capture all traffic except SSH from the source IP address 192.168.1.185:
sudo tcpdump -n src 192.168.1.185 and not dst port 22
Check the packaging
By default, tcpdump captures only the package headers. However, sometimes you may need to check the package content.
Tcpdump allows you to print package content in ASCII and HEX.
-A I tell you
tcpdump To print each package in ASCII and
-x In HEX:
sudo tcpdump -n -A
To display package content on HEX and ASCII, use the option
sudo tcpdump -n -X
Read and write capture results to a file
Another useful feature of tcpdump is writing packages to files. This is useful when you are capturing a large number of packets or when you want to retrieve the packets for later analysis.
To start writing to a file, use the option
-w Followed by the capture output file:
sudo tcpdump -n -w data.pcap
The above command will save the capture result in a file called
data.pcap. You can name the file however you like, but the
.pcap (Pick up the package).
When the options
-w When using it, the output is not displayed on the screen. Tcpdump writes raw packages and creates unreadable binary files with plain text editors.
To check the contents of the file, activate
tcpdump With options
sudo tcpdump -r data.pcap
If you wanna run
tcpdump In the background, add the ampersand symbol (
&At the end of it.
Captured files can also be scanned with other package analysis tools such as Wireshark.
When retrieving packages for an extended period of time, you can enable file rotation. Tcpdump allows you to create new files or run dump files at specified intervals or at fixed sizes.
The following command will create up to ten files of 200MB, with the name
file.pcap1, Etc.: before overwriting old files.
sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap
After creating ten files, the oldest files will be overwritten.
Please note that you must run
tcpdump Only while troubleshooting.
If you want to start tcpdump at a certain time, you can use cronjob. tcpdump does not have an option to exit after a certain time. You can use commands
timeout To stop tcpdump after some time. For example, to exit after 5 minutes you might use:
sudo timeout 300 tcpdump -n -w data.pcap
tcpdump is a command-line tool for analyzing and troubleshooting network-related problems.
This article introduces you to the basics of usage and syntax
tcpdump. For more in-depth documentation, visit tcpdump.