Analyse network packets with tcpdump
What is tcpdump?
tcpdump is a command line driven packet sniffing tool. tcpdump is used to capture packets that are sent and received by your computer. tcpdump is often used as a networks administration tool to aid in the debugging of networking issues. tcpdump displays a description of the contents of a captured network packet based on the expression that is passed. tcpdump must be run with root privileges.
tcpdump basic capture commands
In its simplest form tcpdump can be invoked by issuing : tcpdump
tcpdump will continue to display captured information to stdout until the SIGINT signal is generated. Typically this is Crtl + C.
10:57:44.025286 IP server1.ubuntu > server1.centos.2986: P 462764:462912(148) ack 79613 win 16616
10:57:44.025427 IP server1.ubuntu > server1.centos.2986: P 462912:463060(148) ack 79613 win 16616
10:57:44.025538 IP server1.ubuntu > server1.centos.2986: P 463060:463208(148) ack 79613 win 16616
Display packets in Ascii
tcpdump -c 20
By specifying the "-c" flag, we are instructing tcpdump to only capture 20 packets. Once the number of packets captured matches this value, tcpdump will then stop its capture process.
Display the list of network interfaces available on your system to which tcpdump can capture packets. For each interface found, a list prefixed with a number is displayed. This information can then be used with the "-i" interface option.
# tcpdump -D 1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo
tcpdump host centos01
Only display data containing the hostname centos01
Display the link level header on each dump line.
tcpdump -F filter_file_name
Capture traffic using a filter file. In the example below, we have created a very simple filter file: Create a file where the filter is configured (here the TCP 80 port)
# vi Filter_File_Name port 80
tcpdump -i interface
Capture on a particular interface. If no interface is passed to the tcpdump command, tcpdump will search the interface list for the lowest numbered configured "up" interface. (see tcpdump -D for a list of available interfaces)
Lists the known data link types to stdout:
# tcpdump -L Data link types (use option -y to set): DOCSIS (DOCSIS) (not supported) EN10MB (Ethernet
The "-n" option forces numerical addresses to be displayed instead of DNS resolution:
10:57:44.025286 IP server1.ubuntu > server1.centos.2986: P 462764:462912(148) ack 79613 win 16616 10:57:44.025427 IP server1.ubuntu > server1.centos.2986: P 462912:463060(148) ack 79613 win 16616 10:57:44.025538 IP server1.ubuntu > server1.centos.2986: P 463060:463208(148) ack 79613 win 16616
tcpdump port http
Capture port 80 only.
Displays less protocol information resulting in shorter lines of output.
tcpdump -r capture_file_name
Reads packet information from files created with the "-w" option or files created with "wireshark"
tcpdump src 192.168.0.11 and dst 192.168.0.18 and port ftp
Display packets from 192.168.0.11 and dst 192.168.0.18 using ftp port
Do not print a time stamp on each line dump.
Prints an unformatted time stamp on each dump line.
Prints a delta (in micro-seconds) between current and previous line on each dump line.
Prints a timestamp in default format proceeded by date on each dump line.
Capture UDP information only.
Verbose output: the time to live, identification, total length and options in an IP packet are printed.
"Very verbose" option.
"Very Very Verbose" option.
-vv is the very verbose option
tcpdump -w capture_file_name
Write the raw packets to file. These can be later read using the "-r" option.
tcpdump -w capture_file_name -i interface
Write the raw packets to the specified file from the specified interface. These packets can be later read back using the "-r" option.