Understanding and using the Tcpdump command on Linux

tcpdump It is a command line utility that you can use to capture and inspect network traffic to and from your system.

tcpdump is the most widely used tool among security experts or network administrators for network troubleshooting and security testing.

Regardless of the name, with tcpdumpYou can also capture non-TCP traffic such as UDP, ARP, or ICMP. The extracted packages can be written into a standard output or file.

One of the most powerful features of the command tcpdump It’s its ability to use filters and capture only the data that you want to analyze.

In this article, we’ll cover the basics of how to use commands tcpdump On Linux.

Install tcpdump

Tcpdump is installed by default on most Linux and macOS distributions. To check if the tcpdump command is available for your system type:

tcpdump --version

The output will look like this:

tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.1.1b  26 Feb 2019

If tcpdump is not on your system then the above command will printtcpdump: command not foundYou can easily install tcpdump using your distro’s package manager.

Install tcpdump on Ubuntu and Debian

sudo apt update && sudo apt install tcpdump

Install tcpdump on CentOS and Fedora

sudo yum install tcpdump

Install tcpdump on Arch Linux

sudo pacman -S tcpdump

How to capture packets using tcpdump

The general syntax for the tcpdump command is as follows:

tcpdump [options] [expression]
  • Command options It allows you to control tcpdump behavior when retrieving data.
  • Purifier expression Determine the package to be recovered.

Only root or user with rights sudo Which can run tcpdump. If you try to run the command as a user who does not have sudo / root privileges, you will get an error message: “You do not have permission to take pictures on this device“.

The simplest use case is operation tcpdump Without any options and filters:

sudo tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:24.248737 IP linuxid-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248785 IP linuxid-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36
15:47:24.248828 IP linuxid-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

... Long output suppressed

23116 packets captured
23300 packets received by filter
184 packets dropped by kernel

Tcpdump will continue capturing packets and writing to standard output until it receives an interrupt signal. Use key combinations Ctrl + C To send interrupt signals and stop orders.

For more verbose output, provide options -vor -vv For more prolonged output:

sudo tcpdump -vv

You can specify the number of packets to capture using the options -c. For example, to pick up only ten packages, then the command you would type:

sudo tcpdump -c 10

After you pick up the package, tcpdump It will stop automatically.

When an interface is not specified, tcpdump Uses the first interface it finds and dumps all packages through that interface.

Use the options -D To print a list of all available network interfaces that tcpdump can fetch:

sudo tcpdump -D

For each interface, the command prints the interface name, a short description, and the associated index (number):

1.ens3 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]

The above output illustrates this ens3 It is the first interface that he invented tcpdump It is used when an interface for the command is not provided. The second interface any, Is a special tool that allows you to capture all active interfaces.

To select an interface in which you want to capture traffic, activate the command with options -i Followed by the name of the interface or the associated index. For example, to retrieve all packets from all interfaces, the interface you choose to capture data is the interface any :

sudo tcpdump -i any

By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into hostnames. Use the -n option to disable the translation feature:

sudo tcpdump -n

With the skip DNS lookup, tcpdump will not generate DNS traffic data and make the output easier to read. This option is recommended every time you run tcpdump.

Instead of displaying the output on the screen, you can redirect to a file using the redirect operator > And the >>:

sudo tcpdump -n -i any > file.out

You can also view data in real time while saving to a file using commands tee:

sudo tcpdump -n -l | tee file.out

Selection -l In the above command it tells tcpdump to create a stored output line. When not using this option, the output will not be displayed on the screen when creating a new line.

Understand the output of the tcpdump command

Tcpdump displays information about each package fetched on a new line. Each line includes a timestamp and packet information, depending on the protocol.

The general format of a TCP line is as follows:

[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]

Let us study it field by field and clarify the following lines:

15:47:24.248737 IP > Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
  • 15:47:24.248737 – The timestamp for captured packets is in local time and uses the following format: jam:menit:detik.frac, Where frac is a fraction of seconds since midnight.
  • IP Packet Protocol. In this case, IP stands for Internet Protocol version 4 (IPv4).
  • – IP and source (local) address (the port is separated by periods).).
  • – The IP address and the destination port are separated by periods (.).
  • Flags [P.] – TCP flags field. In this example, [P.] Means package Pay acknowledgment, Which is used to confirm previous packets and send data. Other signal values ​​are as follows:
    • [.] ACK (Acknowledgment)
    • [S] – SYN (login)
    • [P] PSH (Payment Data)
    • [F] – FIN (end connection)
    • [R] – RST (call reset)
    • [S.] – SYN-ACK (SynAcK package)
  • seq 201747193:201747301 Shows how much data is in the package. With the exception of the first packet in the data stream where these numbers are absolute, all subsequent packets are used as relative byte positions. In this example, the numbers are 201747193:201747301, Which means that this package contains 201747193 to 201747301 bytes of data stream. Use the options -S To print the absolute sequence numbers.
  • ack 1226568763 – Acknowledgment number is the next data sequence number the other party expects from this connection.
  • win 402 – The window number is the number of bytes available in the receiver buffer.
  • options [nop,nop,TS val 1051794587 ecr 2679218230] TCP option. nopOr “No processIt is the padding used to make the TCP header more than 4 bytes. TS val Is TCP’s timestamp ecr Stands for echo response. Visit the IANA Documentation for more information on TCP options.
  • length 108 – The length of the load data

Tcpdump filter

When tcpdump runs without filtering, it captures all traffic and generates a great deal of output making it very difficult to find and analyze packages of interest.

Filters are one of the most powerful features of the tcpdump command. The filter function allows you to capture only the packets that match the expression you want. For example, when troubleshooting problems with a web server, you can use filters to get HTTP traffic only.

The tcpdump program uses the Berkeley Packet Filter (BPF) architecture to filter captured packets using various processing parameters such as IP addresses, ports, source, destination, etc.

In this article, we’ll look at some of the more popular filters. For a list of all available filters, check out the pcap-filter guide page.

Tcpdump filter by protocol

To limit the capture to a specific protocol, specify the protocol as a filter. For example, to capture only UDP traffic, the command you’ll use:

sudo tcpdump -n udp

Another way to define a protocol is to use a qualifier proto, Followed by the protocol number. The following command will filter protocol # 17 and produce the same result as mentioned above:

sudo tcpdump -n proto 17

For more information on these numbers, check out the list of IP Protocol numbers on Wikipedia.

The host-based tcpdump filter

To capture only packets associated with a specific host, use the host qualifier:

sudo tcpdump -n host

The host can be either an IP address or a name.

You can also filter the output to a specific IP range with a qualifier net. For example, to remove the package linked to, Then the command you’ll use:

sudo tcpdump -n net 10.10

Tcpdump filter by port

To restrict capture only to packets from or to port Selected, use port qualifier. The command below captures packets associated with the SSH service (port 22) with the following command:

sudo tcpdump -n port 23

qualification portrange It allows you to capture traffic on multiple ports:

sudo tcpdump -n portrange 110-150

Filter by source and destination

You can also filter packets by source, destination port, or host with a qualifier srcAnd the dstAnd the src dan dstAnd and src atau dst

The following command captures packets arriving from the host using IP

sudo tcpdump -n src host

To find the traffic coming from any source to port 80, you can use the command:

sudo tcpdump -n dst port 80

Complex filters

Filters can be combined using operators and (&&), or (||) And the not (!).

For example, to capture all HTTP traffic originating from the source IP address, you can use this command:

sudo tcpdump -n src and tcp port 80

You can also use parentheses to group and create more complex filters:

sudo tcpdump -n 'host and (tcp port 80 or tcp port 443)'

To avoid parsing errors when using special characters, surround the filter with single quotation marks (').

Here is an example of another command to capture all traffic except SSH from the source IP address

sudo tcpdump -n src and not dst port 22

Check the packaging

By default, tcpdump captures only the package headers. However, sometimes you may need to check the package content.

Tcpdump allows you to print package content in ASCII and HEX.

Selection -A I tell you tcpdump To print each package in ASCII and -x In HEX:

sudo tcpdump -n -A

To display package content on HEX and ASCII, use the option -X:

sudo tcpdump -n -X

Read and write capture results to a file

Another useful feature of tcpdump is writing packages to files. This is useful when you are capturing a large number of packets or when you want to retrieve the packets for later analysis.

To start writing to a file, use the option -w Followed by the capture output file:

sudo tcpdump -n -w data.pcap

The above command will save the capture result in a file called data.pcap. You can name the file however you like, but the .pcap (Pick up the package).

When the options -w When using it, the output is not displayed on the screen. Tcpdump writes raw packages and creates unreadable binary files with plain text editors.

To check the contents of the file, activate tcpdump With options -r:

sudo tcpdump -r data.pcap

If you wanna run tcpdump In the background, add the ampersand symbol (&At the end of it.

Captured files can also be scanned with other package analysis tools such as Wireshark.

When retrieving packages for an extended period of time, you can enable file rotation. Tcpdump allows you to create new files or run dump files at specified intervals or at fixed sizes.

The following command will create up to ten files of 200MB, with the name file.pcap0And the file.pcap1, Etc.: before overwriting old files.

sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap

After creating ten files, the oldest files will be overwritten.

Please note that you must run tcpdump Only while troubleshooting.

If you want to start tcpdump at a certain time, you can use cronjob. tcpdump does not have an option to exit after a certain time. You can use commands timeout To stop tcpdump after some time. For example, to exit after 5 minutes you might use:

sudo timeout 300 tcpdump -n -w data.pcap


tcpdump is a command-line tool for analyzing and troubleshooting network-related problems.

This article introduces you to the basics of usage and syntax tcpdump. For more in-depth documentation, visit tcpdump.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *