Linux SysAdmin

Technology Beyond Infinity – Your guide to latest technology, software, Internet & computers and many more….. Let's compute with confidence !!!

Linux Commands 

15 TCPDUMP Command Examples

LinuxSysAdmin 0 Comments

tcpdump is a most powerful and widely used command use by all linux sysadmin. it is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. Here we will learn 15 most commonly used tcpdump commands.

1. Capture packets on all interface:

Directly run tcpdump and it will show all traffic passing through all interface:

# tcpdump
20:25:24.907996 IP 192.168.100.1.52689 > microsoft.com.ssh: Flags [.], ack 274220, win 2051, length 0
20:25:25.907996 IP 192.168.100.1.52689 > microsoft.com.ssh: Flags [.], ack 274220, win 2051, length 0
2040 packets captured
2050 packets received by filter
0 packets dropped by kernel

2. Check available interface:

Use -D option to see the available interface.

# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.any (Pseudo-device that captures on all interfaces)
7.lo

3. Capture the packets on specific interface:

To capture the specific traffic on any interface (say eth0) use -i option

# tcpdump -i eth0
20:25:27.907996 IP 192.168.100.1.52689 > microsoft1.com.ssh: Flags [.], ack 274220, win 2051, length 0
20:25:28.907996 IP 192.168.100.1.52689 > microsoft1.com.ssh: Flags [.], ack 274220, win 2051, length 0
235 packets captured
235 packets received by filter
0 packets dropped by kernel

4. Capture the packets for TCP port:

Use tcp option to capture the traffic for packets based on TCP port:

# tcpdump -i eth0 tcp
20:37:11.843063 IP 192.168.100.1.52689 > microsoft1.com.ssh: Flags [.], ack 806156, win 2053, length 0

5. Capture the packets for Specific port:

Use port <number> option to capture the traffic for specific port.

# tcpdump -i eth0 port 25
20:40:48.240845 IP 192.168.100.1.49510 > microsoft1.com.smtp: Flags [S], seq 3457744780, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
20:40:48.240871 IP microsoft1.com.smtp > 192.168.100.1.49510: Flags [R.], seq 0, ack 3457744781, win 0, length 0

6. Capture the packets for Specific Source IP address:

Use src <ipddr> option to capture the traffic for specific source IP address.

# tcpdump -i eth0 src 192.168.100.1
20:40:48.240871 IP 192.168.100.1.ssh > 192.168.100.1.microsoft1.com: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196

7. Capture the packets for Specific Destination IP address:

Use dst <ipddr> option to capture the traffic for specific destination IP address.

# tcpdump -i eth0 dst google.com
20:50:20.067925 IP localhost > bom05s10-in-f142.1e100.net: ICMP echo request, id 59148, seq 1, length 64
20:50:21.069201 IP localhost > bom05s10-in-f142.1e100.net: ICMP echo request, id 59148, seq 2, length 64
20:50:22.075599 IP localhost > bom05s10-in-f142.1e100.net: ICMP echo request, id 59148, seq 3, length 64

8. Capture the packets and save the output in file:

You can always save the capture traffic in file for later analysis. Use .pcap file extension to save the file.

# tcpdump -w output.pcap -i eth0

9. Read tcpdump file (.pcap file):

To read the save tcpdump file, use -r option.

# tcpdump -r output.pcap

10. Capture the N number of packets:

# tcpdump -c 3 -i eth0
20:56:51.436159 IP 192.168.100.1.59130 > microsoft1.com.http: Flags [S], seq 2851557423, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
20:56:51.436189 IP microsoft1.com.http > 192.168.100.1.59130: Flags [S.], seq 869655208, ack 2851557424, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
20:56:51.436563 IP 192.168.100.1.59131 > microsoft1.com.http: Flags [S], seq 3821925523, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
3 packets captured
14 packets received by filter
0 packets dropped by kernel

11. Capture the packets with human readable timestamp:

You will notice in above examples time stamps are not in proper format; to get output with human readable timestamp use -ttt

# tcpdump -n -tttt -i eth0
2017-07-21 11:01:39.162830 IP 192.168.100.1.52497 > microsoft1.com.ssh: . ack 49800 win 16390

12. Capture the packets size greater than N bytes:

# tcpdump -i eth0 greater 1024

13. Capture the packets size lesser than N bytes:

# tcpdump -i eth0 less 1024

14. Capture packets for particular destination IP and Port

# tcpdump -i eth0 dst 192.168.100.1 and port 25

15. Capture packets for between source and destination:

# tcpdump -i eth0 src 192.168.100.1 and dst google.com

16. Capture all packets but not tcp and smtp:

# tcpdump -i eth0 not tcp  and not ip

Note: its best way to capture all ARP packets

Leave a Reply

Your email address will not be published.