How to Use Tcpdump Commands with Examples

Tcpdump is a network troubleshooting command which is also known as a packet sniffer is used to capture and display packets from a network. Tcpdump allows users to capture and display TCP/IP and other packets (UDP, ARP or ICMP) being transmitted or received over the network to which computer is attached.

You can apply filters to the packets and can avoid the traffic which you do not want to see. You can capture all the data going across your local network and put that data in a file for later analysis. To run tcpdump command you require root or user with sudo privileges.

In this tutorial, we will learn how to use tcpdump command to analyze the traffic flowing on a Linux machine.

Install tcpdump

Tcpdump is not installed by default, so you need to install it before using.

On Ubuntu and Debian

# apt install tcpdump

On Centos and Fedora

# yum install tcpdump

1) Capture traffic on all the interface using tcpdump command

When you use tcpdump without any option or filters, it will analyze the traffic on all the interfaces.

The following example shows the output of tcpdump command running without any options.

# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:41:25.886307 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435074392:1435074508, a
ck 4135933864, win 381, options [nop,nop,TS val 3387567505 ecr 18335689], length 116
07:41:25.886932 IP li339-47.members.linode.com.49063 > resolver08.dallas.linode.com.domain: 61296+ PTR? 5.7.255.169.in-addr.arpa. (42)
07:41:26.133811 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 0, win 722, options [nop,nop,TS val 18335757 ecr 3387567484], length 0
07:41:26.133851 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 381, options [nop,nop,TS val 3387567753 ecr 18335757], length 116
07:41:26.142929 IP resolver08.dallas.linode.com.domain > li339-47.members.linode.com.49063: 61296 NXDomain 0/0/0 (42)
.....
.....
07:41:26.680521 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 2724:3132, ack 1, win 381, options [nop,nop,TS val 3387568299 ecr 18335894], length 408
^C
17 packets captured
18 packets received by filter
0 packets dropped by kernel

You need to hit the cancel button in order to stop it.
If you need more information, tcpdump provides several options that enhance or modify its output:

  • -i interface : Listen on the specified interface.
  • -n : Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
  • -t : Don't print a timestamp on each dump line.
  • -X : Show the packet’s contents in both hex and ascii.
  • -v, -vv, -vvv : Increase the amount of packet information you get back.
  • -c N : Only get N number of packets and then stop.
  • -s : Define the snaplen (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S : Print absolute sequence numbers.
  • -q : Show less protocol information.
  • -w file : Write the raw packets to file rather

Understanding Tcpdump output format

Let's take one new line from the above tcpdump output to understand its format.

07:41:25.886307 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435074392:1435074508, a
ck 4135933864, win 381, options [nop,nop,TS val 3387567505 ecr 18335689], length 116

07:41:25.886307 - Time when the packet was captured in local time.

IP - It indicated that packet protocol is IPV4.

li339-47.members.linode.com.ssh - This indicates source IP address or source hostname and .ssh means port (here it will be 22).

169.255.7.5.44284 - This indicates the destination IP address and dot (.) separated by port number.

Flags [P.] - This is TCP flags field.

[.] - ACK (Acknowledgment)
[S] - SYN (Start Connection)
[P] - PSH (Push Data)
[F] - FIN (Finish Connection)
[R] - RST (Reset Connection)
[S.] - SYN-ACK (SynAcK Packet)

seq 1435074392:1435074508 - The sequence number indicates that packet contains bytes '1435074392' to '1435074508' of data.

win 381 - This field is windows size, which represents the number of bytes available in the receiving buffer.

options [nop,nop,TS val 3387567505 ecr 18335689] - These are TCP options such as the MSS (Maximum Segment Size) or Window Scale. You can refer more about TCP proctol options.

length 408 - This represents length of payload data in bytes.

 2) List available interfaces using tcpdump command

You can list the available interface with the -D parameter

# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.any (Pseudo-device that captures on all interfaces)
5.lo [Loopback]

With that, you can choose which interface to use.

3) Filter traffic a specific interface and limit packets

Now you can decide to filter the traffic on a specified interface with the -i parameter and limit the number of packets to capture with -c.

The following example tcpdump command analyzes eth0 interface and limits packets to 5.

# tcpdump -i eth0 -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:09.186418 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435431156:1435431272, ack 4135945080, win 419, options [nop,nop,TS val 3392110805 ecr 19471515], length 116
08:57:09.186855 IP li339-47.members.linode.com.33326 > resolver08.dallas.linode.com.domain: 9787+ PTR? 5.7.255.169.in-addr.arpa. (42)
08:57:09.335228 IP 134.119.220.87.45873 > li339-47.members.linode.com.60342: Flags [S], seq 3684168813, win 1024, length 0
08:57:09.335264 IP li339-47.members.linode.com.60342 > 134.119.220.87.45873: Flags [R.], seq 0, ack 3684168814, win 0, length 0
08:57:09.378999 IP 134.119.220.87.45873 > li339-47.members.linode.com.25070: Flags [S], seq 3509221600, win 1024, length 0
5 packets captured
13 packets received by filter
0 packets dropped by kernel

4) Capture data using ip address and port

As you can see on the capture above, we don't have the port number and the IP address of the source. You can use the -nn in order to have it.

# tcpdump -i eth0 -c 5 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:17:09.572425 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435457792:1435457908, ack 4135947356, win 419, options [nop,nop,TS val 3393311191 ecr 19771613], length 116
09:17:09.605048 IP 96.126.114.47.32887 > 204.11.201.10.123: NTPv4, Client, length 48
09:17:09.663754 IP 204.11.201.10.123 > 96.126.114.47.32887: NTPv4, Server, length 48
09:17:09.785600 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 0, win 722, options [nop,nop,TS val 19771669 ecr 3393311183], length 0
09:17:09.785646 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:700, ack 1, win 419, options [nop,nop,TS val 3393311404 ecr 19771669], length 584
5 packets captured
5 packets received by filter
0 packets dropped by kernel

5) Intercept packet from a specific port

You can decide to intercept packets to a specified port number with port parameter.

# tcpdump -i eth0 -c 5 -nn port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:27:27.773270 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435459900:1435460016, ack 4135948192, win 419, options [nop,nop,TS val 3393929392 ecr 19926162], length 116
09:27:27.773357 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 419, options [nop,nop,TS val 3393929392 ecr 19926162], length 116
09:27:28.032620 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 0, win 722, options [nop,nop,TS val 19926230 ecr 3393929384], length 0
09:27:28.032655 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:648, ack 1, win 419, options [nop,nop,TS val 3393929652 ecr 19926230], length 416
09:27:28.032668 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 116, win 722, options [nop,nop,TS val 19926230 ecr 3393929392], length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

6) Intercept packet by ignoring a specific port

You can decide to ignore a port when you intercept packets. This is possible with the not port parameter

# tcpdump -i eth0 -c 5 -nn not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:15:53.784094 IP 134.119.220.87.45873 > 96.126.114.47.32724: Flags [S], seq 1210911834, win 1024, length 0
11:15:53.784139 IP 96.126.114.47.32724 > 134.119.220.87.45873: Flags [R.], seq 0, ack 1210911835, win 0, length 0
11:15:53.910633 IP 134.119.220.87.45873 > 96.126.114.47.32724: Flags [R], seq 1210911835, win 1200, length 0
11:15:53.911319 IP 134.119.220.87 > 96.126.114.47: ICMP host 134.119.220.87 unreachable - admin prohibited, length 48
11:15:56.327699 IP 134.119.220.87.45873 > 96.126.114.47.18566: Flags [S], seq 3213454109, win 1024, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

7) Capture packets from a specific protocol

You can decide whether to capture icmp or tcp packets only. The following command will capture only tcp packets:

# tcpdump -i eth0 -c 5 -nn tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:49:33.371487 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435550388:1435550504, ack 4135954104, win 438, options [nop,nop,TS val 3395254990 ecr 20257561], length 116
09:49:33.371612 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 438, options [nop,nop,TS val 3395254990 ecr 20257561], length 116
09:49:33.371788 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:452, ack 1, win 438, options [nop,nop,TS val 3395254991 ecr 20257561], length 220
09:49:33.371956 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 452:648, ack 1, win 438, options [nop,nop,TS val 3395254991 ecr 20257561], length 196
09:49:33.631626 IP 169.255.7.5.44284 > 96.126.114.47.22: Flags [.], ack 116, win 722, options [nop,nop,TS val 20257629 ecr 3395254981], length 0
5 packets captured
7 packets received by filter
0 packets dropped by kernel

You can just replace 'tcp' by 'icmp' for that one

8) Record log to some specific file

It is possible to save the captured packets in a file. By default, when capturing packets into a file, it will save only 68 bytes of the data from each packet. Rest of the information is ignored.

You can use -s to tell tcpdump how many bytes for each packets to save and specify 0 as packets snapshot length tells tcpdump to save the whole packet.

# tcpdump -i eth0 -c 5 -nn tcp -w packets-record.pcap -s 0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
5 packets received by filter
0 packets dropped by kernel

9) Read tcpdump record file

You can't read the content of a file that saves tcpdump packets with the common commands such as cat or less but you need to use the -r parameter of the tcpdump command.

# tcpdump -r packets-record.pcap 
reading from file packets-record.cap, link-type EN10MB (Ethernet)
10:06:25.310077 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 1435573932:1435573976, ack 4135958592, win 457, options [nop,nop,TS val 3396266929 ecr 20510549], length 44
10:06:25.565590 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 0, win 722, options [nop,nop,TS val 20510616 ecr 3396266919], length 0
10:06:25.565633 IP li339-47.members.linode.com.ssh > 169.255.7.5.44284: Flags [P.], seq 44:160, ack 1, win 457, options [nop,nop,TS val 3396267184 ecr 20510616], length 116
10:06:25.570384 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 44, win 722, options [nop,nop,TS val 20510617 ecr 3396266929], length 0
10:06:25.827438 IP 169.255.7.5.44284 > li339-47.members.linode.com.ssh: Flags [.], ack 160, win 722, options [nop,nop,TS val 20510681 ecr 3396267184], length 0

10) Capture packets with more information

You can scan the network more deeply. You can use the combinations of the command to filter what you need

# tcpdump -i eth0 -c 5 -ttttnnvvS
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 10:32:36.073756 IP (tos 0x10, ttl 64, id 14601, offset 0, flags [DF], proto TCP (6), length 96)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x8404 (incorrect -> 0x570b), seq 1435611412:1435611456, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 44
2018-04-10 10:32:36.073896 IP (tos 0x10, ttl 64, id 14602, offset 0, flags [DF], proto TCP (6), length 168)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x844c (incorrect -> 0x14ec), seq 1435611456:1435611572, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 116
2018-04-10 10:32:36.074118 IP (tos 0x10, ttl 64, id 14603, offset 0, flags [DF], proto TCP (6), length 200)
    96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], cksum 0x846c (incorrect -> 0x52d8), seq 1435611572:1435611720, ack 4135969472, win 495, options [nop,nop,TS val 3397837693 ecr 20903238], length 148
2018-04-10 10:32:36.083469 IP (tos 0x8, ttl 53, id 26190, offset 0, flags [none], proto ICMP (1), length 68)
    134.119.220.87 > 96.126.114.47: ICMP host 134.119.220.87 unreachable - admin prohibited, length 48
        IP (tos 0x28, ttl 48, id 23212, offset 0, flags [DF], proto TCP (6), length 40)
    96.126.114.47.47317 > 134.119.220.87.45873: Flags [R.], cksum 0x5362 (correct), seq 0, ack 96384300, win 0, length 0
2018-04-10 10:32:36.084338 IP (tos 0x0, ttl 244, id 32726, offset 0, flags [none], proto TCP (6), length 40)
    134.119.220.87.45873 > 96.126.114.47.47317: Flags [R], cksum 0x4ec2 (correct), seq 96384300, win 1200, length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel

11) Capture packets coming from a remote host

To only show packets which come from a specific IP, you use the src parameter.

# tcpdump -i eth0 -c 5 -ttttnnvvS src host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:27:28.498964 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:28:08.614258 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:28:53.621982 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:29:33.511165 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:30:13.837251 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
5 packets captured
5 packets received by filter
0 packets dropped by kernel

You can see the requests packets

12) Capture packets in the destination to a remote host

It is possible to show only packages that have a specific destination using dst option.

For example, you can show packages in the destination to the router.

# tcpdump -i eth0 -c 5 -ttttnnvvS dst host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:34:15.107495 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:35:00.547492 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:35:47.907837 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:36:12.867576 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:36:39.534063 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Here you can see the replies packets.

13) Capture both incoming and outgoing packets of a specific host

In the two commands above, we used src and dst to capture incoming and outgoing packets from a specific host in two different times. But it is possible to do it directly in one command with only the host parameter.

# tcpdump -i eth0 -c 5 -ttttnnvvS host 96.126.114.1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-10 11:37:49.720992 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:37:49.725683 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:38:14.894130 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
2018-04-10 11:38:14.900008 ARP, Ethernet (len 6), IPv4 (len 4), Reply 96.126.114.1 is-at 00:00:0c:9f:f0:06, length 46
2018-04-10 11:38:39.854051 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 96.126.114.1 tell 96.126.114.47, length 28
5 packets captured
5 packets received by filter
0 packets dropped by kernel

Now you can see both request and reply packets.

14) Capture packet using port range

It is possible to use a range of ports in order to capture your network traffic.

# tcpdump -i eth0 -c 3 -nns 0 portrange 20-23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:59:45.996312 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 1435738516:1435738632, ack 4136021820, win 875, options [nop,nop,TS val 3403067615 ecr 22210718], length 116
11:59:45.996512 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 116:232, ack 1, win 875, options [nop,nop,TS val 3403067615 ecr 22210718], length 116
11:59:45.996728 IP 96.126.114.47.22 > 169.255.7.5.44284: Flags [P.], seq 232:452, ack 1, win 875, options [nop,nop,TS val 3403067616 ecr 22210718], length 220
3 packets captured
5 packets received by filter
0 packets dropped by kernel

Some Practical Examples

Let's check some practical examples for tcpdump command.

Tcpdump to rotate capture files based on size

If you are capturing traffic using tcpdump for long period it's good to create a new file when a certain amount of file size or time reached. For this, we will use -W, -G and -C options.

The following command will create a new 'network-02-30.pcap' file every 30 mins (-G 1800) with file limited to 100MB (-C 100) with file count of 24 (-W 48).

$ sudo tcpdump -i en0 -w /tmp/network-%H-%M.pcap -W 48 -G 300 -C 100

Filter Http User Agent

We can use grep or egrep command to pipe out tcpdump outputs.

The following command filter Http user agent and host from http request header:

$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

The following command capture cookies:

$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture IPV6 packets

We can capture IPV6 traffic using ip6 option and proto for specifying TCP or UDP protocol.

proto 6 - TCP

proto 17 - UDP

The following capture all ipv6 traffic using tcp protocol

$ sudo tcpdump -nn ip6 proto 6

Conclusion

Although packet sniffers are useful diagnostic tools, they can also be abused. For instance, unscrupulous individuals can run packet sniffers to capture passwords that others send over the network. Depending on your network configuration, this trick can work even if the packet sniffer isn’t running on either the sending or the receiving computer. For this reason, many organizations have policies forbidding the use of packet sniffers except under limited circumstances.

I hope you enjoyed reading tcpdump tutorial and please leave your suggestion in the below comment section.

Alain Francois 1:20 am

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.