tcpdump

Analyse network packets with tcpdump

What is tcpdump?


tcpdump is a command line driven packet sniffing tool. tcpdump is used to capture packets that are sent and received by your computer. tcpdump is often used as a networks administration tool to aid in the debugging of networking issues. tcpdump displays a description of the contents of a captured network packet based on the expression that is passed. tcpdump must be run with root privileges.



tcpdump basic capture commands


In its simplest form tcpdump can be invoked by issuing : tcpdump


tcpdump


tcpdump will continue to display captured information to stdout until the SIGINT signal is generated. Typically this is Crtl + C.

10:57:44.025286 IP server1.ubuntu > server1.centos.2986: P 462764:462912(148) ack 79613 win 16616
10:57:44.025427 IP server1.ubuntu > server1.centos.2986: P 462912:463060(148) ack 79613 win 16616
10:57:44.025538 IP server1.ubuntu > server1.centos.2986: P 463060:463208(148) ack 79613 win 16616


tcpdump -A


Display packets in Ascii


tcpdump -c 20


By specifying the "-c" flag, we are instructing tcpdump to only capture 20 packets. Once the number of packets captured matches this value, tcpdump will then stop its capture process.


tcpdump -D


Display the list of network interfaces available on your system to which tcpdump can capture packets. For each interface found, a list prefixed with a number is displayed. This information can then be used with the "-i" interface option.



# tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo

tcpdump host centos01


Only display data containing the hostname centos01


tcpdump -e


Display the link level header on each dump line.


tcpdump -F filter_file_name


Capture traffic using a filter file. In the example below, we have created a very simple filter file: Create a file where the filter is configured (here the TCP 80 port)



# vi Filter_File_Name
port 80

tcpdump -i interface


Capture on a particular interface. If no interface is passed to the tcpdump command, tcpdump will search the interface list for the lowest numbered configured "up" interface. (see tcpdump -D for a list of available interfaces)


tcpdump -L


Lists the known data link types to stdout:



# tcpdump -L
Data link types (use option -y to set):
  DOCSIS (DOCSIS) (not supported)
  EN10MB (Ethernet

tcpdump -n


The "-n" option forces numerical addresses to be displayed instead of DNS resolution:



10:57:44.025286 IP server1.ubuntu > server1.centos.2986: P 462764:462912(148) ack 79613 win 16616
10:57:44.025427 IP server1.ubuntu > server1.centos.2986: P 462912:463060(148) ack 79613 win 16616
10:57:44.025538 IP server1.ubuntu > server1.centos.2986: P 463060:463208(148) ack 79613 win 16616

tcpdump port http


Capture port 80 only.


tcpdump -q


Displays less protocol information resulting in shorter lines of output.


tcpdump -r capture_file_name


Reads packet information from files created with the "-w" option or files created with "wireshark"


tcpdump src 192.168.0.11 and dst 192.168.0.18 and port ftp


Display packets from 192.168.0.11 and dst 192.168.0.18 using ftp port


tcpdump -t


Do not print a time stamp on each line dump.


tcpdump -tt


Prints an unformatted time stamp on each dump line.


tcpdump -ttt


Prints a delta (in micro-seconds) between current and previous line on each dump line.


tcpdump -tttt


Prints a timestamp in default format proceeded by date on each dump line.


tcpdump -u


Capture UDP information only.


tcpdump -v


Verbose output: the time to live, identification, total length and options in an IP packet are printed.


tcpdump -vv


"Very verbose" option.


tcpdump -vvv


"Very Very Verbose" option.


tcpdump -vv


-vv is the very verbose option


tcpdump -w capture_file_name


Write the raw packets to file. These can be later read using the "-r" option.


tcpdump -w capture_file_name -i interface


Write the raw packets to the specified file from the specified interface. These packets can be later read back using the "-r" option.