15 TCPDUMP Command Examples
tcpdump is a most powerful and widely used command use by all linux sysadmin. it is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. Here we will learn 15 most commonly used tcpdump commands.
1. Capture packets on all interface:
Directly run tcpdump and it will show all traffic passing through all interface:
# tcpdump 20:25:24.907996 IP 192.168.100.1.52689 > microsoft.com.ssh: Flags [.], ack 274220, win 2051, length 0 20:25:25.907996 IP 192.168.100.1.52689 > microsoft.com.ssh: Flags [.], ack 274220, win 2051, length 0 2040 packets captured 2050 packets received by filter 0 packets dropped by kernel
2. Check available interface:
Use -D option to see the available interface.
# tcpdump -D 1.eth0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.usbmon2 (USB bus number 2) 6.any (Pseudo-device that captures on all interfaces) 7.lo
3. Capture the packets on specific interface:
To capture the specific traffic on any interface (say eth0) use -i option
# tcpdump -i eth0 20:25:27.907996 IP 192.168.100.1.52689 > microsoft1.com.ssh: Flags [.], ack 274220, win 2051, length 0 20:25:28.907996 IP 192.168.100.1.52689 > microsoft1.com.ssh: Flags [.], ack 274220, win 2051, length 0 235 packets captured 235 packets received by filter 0 packets dropped by kernel
4. Capture the packets for TCP port:
Use tcp option to capture the traffic for packets based on TCP port:
# tcpdump -i eth0 tcp 20:37:11.843063 IP 192.168.100.1.52689 > microsoft1.com.ssh: Flags [.], ack 806156, win 2053, length 0
5. Capture the packets for Specific port:
Use port <number> option to capture the traffic for specific port.
# tcpdump -i eth0 port 25 20:40:48.240845 IP 192.168.100.1.49510 > microsoft1.com.smtp: Flags [S], seq 3457744780, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 20:40:48.240871 IP microsoft1.com.smtp > 192.168.100.1.49510: Flags [R.], seq 0, ack 3457744781, win 0, length 0
6. Capture the packets for Specific Source IP address:
Use src <ipddr> option to capture the traffic for specific source IP address.
# tcpdump -i eth0 src 192.168.100.1 20:40:48.240871 IP 192.168.100.1.ssh > 192.168.100.1.microsoft1.com: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196
7. Capture the packets for Specific Destination IP address:
Use dst <ipddr> option to capture the traffic for specific destination IP address.
# tcpdump -i eth0 dst google.com 20:50:20.067925 IP localhost > bom05s10-in-f142.1e100.net: ICMP echo request, id 59148, seq 1, length 64 20:50:21.069201 IP localhost > bom05s10-in-f142.1e100.net: ICMP echo request, id 59148, seq 2, length 64 20:50:22.075599 IP localhost > bom05s10-in-f142.1e100.net: ICMP echo request, id 59148, seq 3, length 64
8. Capture the packets and save the output in file:
You can always save the capture traffic in file for later analysis. Use .pcap file extension to save the file.
# tcpdump -w output.pcap -i eth0
9. Read tcpdump file (.pcap file):
To read the save tcpdump file, use -r option.
# tcpdump -r output.pcap
10. Capture the N number of packets:
# tcpdump -c 3 -i eth0 20:56:51.436159 IP 192.168.100.1.59130 > microsoft1.com.http: Flags [S], seq 2851557423, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 20:56:51.436189 IP microsoft1.com.http > 192.168.100.1.59130: Flags [S.], seq 869655208, ack 2851557424, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:56:51.436563 IP 192.168.100.1.59131 > microsoft1.com.http: Flags [S], seq 3821925523, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 3 packets captured 14 packets received by filter 0 packets dropped by kernel
11. Capture the packets with human readable timestamp:
You will notice in above examples time stamps are not in proper format; to get output with human readable timestamp use -ttt
# tcpdump -n -tttt -i eth0 2017-07-21 11:01:39.162830 IP 192.168.100.1.52497 > microsoft1.com.ssh: . ack 49800 win 16390
12. Capture the packets size greater than N bytes:
# tcpdump -i eth0 greater 1024
13. Capture the packets size lesser than N bytes:
# tcpdump -i eth0 less 1024
14. Capture packets for particular destination IP and Port
# tcpdump -i eth0 dst 192.168.100.1 and port 25
15. Capture packets for between source and destination:
# tcpdump -i eth0 src 192.168.100.1 and dst google.com
16. Capture all packets but not tcp and smtp:
# tcpdump -i eth0 not tcp and not ip
Note: its best way to capture all ARP packets