Tcpdump Examples - Capture Network Traffic in Linux

tcpdump examples

Tcpdump is a network troubleshooting command which is also known as a packet sniffer is used to capture and display packets from a network. Tcpdump allows users to capture and display TCP/IP and other packets (UDP, ARP or ICMP) being transmitted or received over the network to which the computer is attached.

You can apply filters to the packets and can avoid the traffic which you do not want to see. You can capture all the data going across your local network and put that data in a file for later analysis. To run tcpdump command you require root or user with sudo privileges.

In this tutorial, we will learn how to use tcpdump commands to analyze the traffic flowing on a Linux machine.

1. Capture traffic on interface

When you use tcpdump without any options, it will analyze the traffic on all of the interfaces, run the following command:

$ sudo tcpdump

You have to hit the Ctrl + C button in order to stop it.

To capture the traffic on a specific interface use  -i option and limit the number of packets to by -c option:

The following tcpdump example analyzes 'ens160' interface and limits packet to 5:

$ sudo tcpdump -i ens160 -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:37:57.488830 IP Ubuntu.ssh > static.vnpt.vn.50302: Flags [P.], seq 904499689:904499877, ack 2322684183, win 501, options [nop,nop,TS val 215651573 ecr 764510174], length 188
22:37:57.489727 IP Ubuntu.33256 > dns.google.domain: 5774+ [1au] PTR? 219.62.249.14.in-addr.arpa. (55)
22:37:57.496238 IP static.vnpt.vn.50302 > Ubuntu.ssh: Flags [.], ack 188, win 2045, options [nop,nop,TS val 764510247 ecr 215651573], length 0
22:37:57.546212 ARP, Request who-has 42.112.22.189 tell 42.112.22.254, length 46
22:37:57.549223 ARP, Request who-has 42.112.22.162 tell 42.112.22.254, length 46
5 packets captured

2) Capture traffic on specific host

You can capture incoming and outgoing packets from a specific host using -host option.

$ sudo tcpdump -i ens160 -c 5 -ttttnnvvS host 14.249.62.219

Now, you can see both request and reply packets:

tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-06-22 06:07:36.407733 IP (tos 0x12,ECT(0), ttl 64, id 60196, offset 0, flags [DF], proto TCP (6), length 176)
    100.9.8.40.22 > 14.249.62.219.49396: Flags [P.], cksum 0x60a7 (incorrect -> 0x8547), seq 296088568:296088692, ack 3491435441, win 501, options [nop,nop,TS val 242630491 ecr 673952638], length 124
2020-06-22 06:07:36.407905 IP (tos 0x12,ECT(0), ttl 64, id 60197, offset 0, flags [DF], proto TCP (6), length 208)
    100.9.8.40.22 > 14.249.62.219.49396: Flags [P.], cksum 0x60c7 (incorrect -> 0xeed4), seq 296088692:296088848, ack 3491435441, win 501, options [nop,nop,TS val 242630492 ecr 673952638], length 156
2020-06-22 06:07:36.407967 IP (tos 0x12,ECT(0), ttl 64, id 60198, offset 0, flags [DF], proto TCP (6), length 288)
    100.9.8.40.22 > 14.249.62.219.49396: Flags [P.], cksum 0x6117 (incorrect -> 0x82ca), seq 296088848:296089084, ack 3491435441, win 501, options [nop,nop,TS val 242630492 ecr 673952638], length 236
2020-06-22 06:07:36.408018 IP (tos 0x12,ECT(0), ttl 64, id 60199, offset 0, flags [DF], proto TCP (6), length 408)
    100.9.8.40.22 > 14.249.62.219.49396: Flags [P.], cksum 0x618f (incorrect -> 0xebc8), seq 296089084:296089440, ack 3491435441, win 501, options [nop,nop,TS val 242630492 ecr 673952638], length 356
2020-06-22 06:07:36.408049 IP (tos 0x12,ECT(0), ttl 64, id 60200, offset 0, flags [DF], proto TCP (6), length 208)
    100.9.8.40.22 > 14.249.62.219.49396: Flags [P.], cksum 0x60c7 (incorrect -> 0x3db7), seq 296089440:296089596, ack 3491435441, win 501, options [nop,nop,TS val 242630492 ecr 673952638], length 156

3) Find packet by port

To find packets to a specified port number use -port option.

Assuming that you want to analyze 'ens160' network interface and limit the number of packet to 5 from the port 22, let's run the following command:

$ sudo tcpdump -i ens160 -c 5 -nn port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:55:11.567754 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 904502461:904502649, ack 2322684399, win 501, options [nop,nop,TS val 216685651 ecr 765506106], length 188
22:55:11.567973 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 188:408, ack 1, win 501, options [nop,nop,TS val 216685652 ecr 765506106], length 220
22:55:11.568102 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 408:604, ack 1, win 501, options [nop,nop,TS val 216685652 ecr 765506106], length 196
22:55:11.568184 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 604:800, ack 1, win 501, options [nop,nop,TS val 216685652 ecr 765506106], length 196
22:55:11.568262 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 800:996, ack 1, win 501, options [nop,nop,TS val 216685652 ecr 765506106], length 196

To ignore a port when you intercept packets use not port.

If you want to analyze 'ens160' network interface port other than 22, run the following command:

$ sudo tcpdump -i ens160 -nn not port 22

You may use a range of ports in order to capture your network traffic.

For example, if you want to analyse ens160 network interface in the port range: from port 20 to port 23, run the following command:

$ sudo tcpdump -i ens160 -c 3 -nns 0 portrange 20-23

4) Capture packets from a specific protocol

You can decide whether to capture ICMP (Internet Control Message Protocol) or TCP (Transmission Control Protocol) packets only. The following command will capture only TCP packets:

$ sudo tcpdump -i ens160 -c 5 -nn tcp
Output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
23:13:04.283421 IP 10.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 904505569:904505677, ack 2322684631, win 501, options [nop,nop,TS val 217758367 ecr 766570531], length 108
23:13:04.283512 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 108:144, ack 1, win 501, options [nop,nop,TS val 217758367 ecr 766570531], length 36
23:13:04.283588 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 144:260, ack 1, win 501, options [nop,nop,TS val 217758367 ecr 766570531], length 116
23:13:04.283642 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 260:296, ack 1, win 501, options [nop,nop,TS val 217758367 ecr 766570531], length 36
23:13:04.283863 IP 100.9.8.40.22 > 14.249.62.219.50302: Flags [P.], seq 296:508, ack 1, win 501, options [nop,nop,TS val 217758368 ecr 766570531], length 212

5)  Save log to specific file

It is possible to save the captured packets in a file. By default, when capturing packets into a file, it will save only 68 bytes of the data from each packet. The rest of the information is ignored.

You can use -s option to tell tcpdump linux how many bytes for each packets to save and specify 0 as packets snapshot length tells tcpdump to save the whole packet, use the following command:

$ sudo tcpdump -i ens160 -c 5 -nn tcp -w packets-record.pcap -s 0

Output
tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured

6) Read tcpdump record file

You can't read the content of a file that saves tcpdump packets with the common commands such as 'cat' or 'less' but you need to use the -r parameter of the tcpdump command:

$ sudo tcpdump -r packets-record.pcap 

Now you can read the content of tcpdump record file:

reading from file packets-record.pcap, link-type EN10MB (Ethernet)
23:18:57.823581 IP Ubuntu.ssh > static.vnpt.vn.50302: Flags [P.], seq 904507573:904507617, ack 2322684767, win 501, options [nop,nop,TS val 218111907 ecr 766921765], length 44
23:18:57.823697 IP Ubuntu.ssh > static.vnpt.vn.50302: Flags [P.], seq 44:160, ack 1, win 501, options [nop,nop,TS val 218111907 ecr 766921765], length 116
23:18:57.823778 IP Ubuntu.ssh > static.vnpt.vn.50302: Flags [P.], seq 160:196, ack 1, win 501, options [nop,nop,TS val 218111907 ecr 766921765], length 36
23:18:57.832656 IP static.vnpt.vn.50302 > Ubuntu.ssh: Flags [.], ack 44, win 2047, options [nop,nop,TS val 766921826 ecr 218111907], length 0
23:18:57.832685 IP static.vnpt.vn.50302 > Ubuntu.ssh: Flags [.], ack 160, win 2045, options [nop,nop,TS val 766921826 ecr 218111907], length 0

You may also use this pcap file for viewing with Wireshark to analyze.

7) Filter packets from specific source

In order to filter packets that come from a specific source IP, you can use src option.

$ sudo tcpdump src 100.9.8.40

Same way if you want to see traffic in other direction use dst option:

$ sudo tcpdump dst 14.249.62.219

8) Capture packets by network

To capture incoming and outgoing from a network use -net option. The following command capture traffic from 192.168.0.0/24 network:

$ sudu tcpdump net 192.169.0.0/24

9) Capture packets in ASCII

To display captured packets in ASCII use -A option, which is handy capturing web pages.

$ sudo tcpdump -A -i eth0

Tcpdump can also display packets contents in Hex and ASCII format, then use -X option:

$ sudo tcpdump -X -i eth0

10) Capture IPV6 packets

We can capture IPV6 traffic using ip6 option and proto for specifying TCP or UDP protocol.

proto 6 - TCP

proto 17 - UDP

The following capture all ipv6 traffic using tcp protocol:

$ sudo tcpdump -nn ip6 proto 6

11) Filter Http User Agent

The following command filter Http user agent and host from http request header:

$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

To capture cookies use the following command:

$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

12) List available interfaces

You can use tcpdump to list the available interface with the -D option.

For example:

$ sudo tcpdump -D
Output
1.ens160 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.docker0 [Up]
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)
7.usbmon1 (USB bus number 1)
8.usbmon2 (USB bus number 2)

13) Rotate capture files

If you are capturing traffic using tcpdump for long period it's good to create a new file when a certain amount of file size or time reached.

The following command will create a new 'network-02-30.pcap' file every 30 mins (-G 1800) with file limited to 100MB (-C 100) with file count of 24 (-W 48).

$ sudo tcpdump -i ens160 -w /tmp/network-%H-%M.pcap -W 48 -G 300 -C 100

Tcpdump options

Tcpdump provides several options that enhance or modify its output, let check which are those:

  • -i <interface>: Listen on the specified interface.
  • -n: Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
  • -t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
  • -X: Show the packet’s contents in both hex and ascii.
  • -v, -vv, -vvv: Increase the amount of packet information you get back.
  • -c N: Only get N number of packets and then stop.
  • -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S: Print absolute sequence numbers.
  • -q: Show less protocol information.
  • -w <file name>: Write the raw packets to file rather

Power of and, or and not operator

Tcpdump command supports the combination 'and', 'or' and 'not' operators to filter out more accurate results.

Capture traffic coming from 10.20.0.0/16 and going to the network 10.30.0.0/16 with showing human-readable timestamps (tt), with no resolution of hostnames or port numbers (nn), verbose output (vv) and using absolute sequence numbers (S):

$ sudo  -ttnnvvS tcpdump src net 10.20.0.0/16 and dst net 10.30.0.0/16

Display traffic from source 192.168.0.10 which is not UDP protocol:

$ sudo tcpdump src 192.168.0.10 and src net and not udp

To capture arp or ping traffic for a specific host and save the output to a file named packetfile.txt:

$ sudo tcpdump -nnti eth0 arp or icmp and host 192.168.0.1 -w packetfile.txt

Tcpdump output format

Let's take one new line from the tcpdump output to understand its format.

10:31:13.440803 IP Ubuntu.ssh > 117.6.129.86.50736: Flags [P.], seq 188:400, ack 1, win 501, options [nop,nop,TS val 468736347 ecr 335665367], length 212

Where:

10:31:13.401128 - Time when the packet was captured in local time.

IP - It indicated that packet protocol is IPV4.

Ubuntu.ssh - This indicates source IP address or source hostname and .ssh means port (here it will be 22).

117.6.129.86.50376 - This indicates the destination IP address and dot (.) separated by port number.

Flags:

[P.] - This is TCP flags field.

[.] - ACK (Acknowledgment).

[S] - SYN (Start Connection).

[P] - PSH (Push Data).

[F] - FIN (Finish Connection).

[R] - RST (Reset Connection).

[S.] - SYN-ACK (SynAcK Packet).

seq 188:400 - The sequence number indicates that the packet contains bytes '188' to '400' of data.

win 501 - This field is windows size, which represents the number of bytes available in the receiving buffer.

options [nop,nop,TS val 468736347 ecr 335665367] - These are TCP options such as the MSS (Maximum Segment Size) or Window Scale. You can refer more about TCP protocol options.

length 212 - This represents the length of payload data in bytes.

Conclusion

Although packet sniffers are useful diagnostic tools, they can also be abused. For instance, unscrupulous individuals can run packet sniffers to capture passwords that others send over the network. Depending on your network configuration, this trick can work even if the packet sniffer isn’t running on either the sending or the receiving computer.

For this reason, many organizations have policies forbidding the use of packet sniffers except under limited circumstances.

I hope you enjoyed reading tcpdump commands and please leave your suggestion in the below comment section.

Alain Francois 1:20 am

Comments

Your email address will not be published. Required fields are marked *