Network Traffic Capture In Linux - Tcpdump Examples

Posted on : March 20, 2011 , Last Updated on : October 1, 2016 By
| Reply More

Linux tcpdump

tcpdump is a tool used for network packet capturing or packet analyzer that works for most of the unix-like operating systems. Also you can call as packet sniffer that operates on packet level. It allows users to capture and display TCP/IP and other packets being transmitted or receive over network to which computer is attached. Tcpdump tools allows us to save captured packets on to a file and later on file can be viewed by the same tcpdump command. You can save the whole packets or part of the packets (header). This tool is useful for debugging network related programmes.

Running tcpdump tool requires root access. If you run tcpdump command without argument, it will capture only the first interface.

Example: 1

[root@localhost ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:40:05.476058 IP > P 1332790522:1332790638(116) ack 1730983578 win 9648
20:40:05.540049 IP > . ack 116 win 65143
20:40:05.540063 IP > P 116:232(116) ack 1 win 9648
20:40:05.479050 IP > 48326+ PTR? (44)
20:40:05.510808 IP > 48326 NXDomain 0/1/0 (121)

By default, tcpdump produces one line of text per every packet it intercepts. Each line starts with a time stamp and tells when packet is arrived.

a) Time of packet arival 20:40:05.476058

b) Protocol Name: IP tcpdump understands very limited number of protocols. It won't tell you the difference between packets belonging to HTTP (for instance FTP stream). Instead, it will mark such packets as IP packets. It has some limited understanding of TCP. For instance, it identifies TCP synchronization packets such as SYN, ACK and FIN.

c) Source and Destination IP address ( > For IP packets, these are IP address. For other protocols, tcpdump does not print any identifiers unless explicitly asked to do so.

d) Information about the Packets: (: P 1332790522:1332790638(116) ack 1730983578 win 9648 For instance, it prints TCP sequence number.

Example: 2

Packet Capturing for selected Interface.

[root@localhost ~]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:54:42.574296 IP > P 1333246686:1333246802(116) ack 1730991782 win 12456
20:54:42.631981 IP > P 116:232(116) ack 1 win 12456

With above command, we can dump how many packets arrived and sent through an eth0 interface.

Example: 3

Ignoring the packets belong to particular service. Here we are ignoring the ssh service packets.

[root@localhost ~]# tcpdump -i eth0 not port 22

Example: 4

[root@localhost ~]# tcpdump -c 10 -i eth0

It tells tcpdump to limit number of packets that intercepts. You can specify number of packets you want see. Tcpdump will capture that number of packets and exit.

Example: 5

[root@localhost ~]# tcpdump -ni eth0 -c 10 not port 22

Above command limit number of packets, it intercepts to 10 and ignores the packets belonging to the port number 22.

Example: 6

Saving captured packets to a files,

[root@localhost ~]# tcpdump -w aloft.cap -s 0

By default, when capturing packets into a file, it will save only 68 bytes of the data from the each packet. Rest of the information is ignored.

In the above command, switch –s tells tcpdump how many bytes for each packets to save and specify 0 as packets snapshot length tells tcpdump to save whole packet.

Example: 7

Reading from captured file:

[root@localhost ~]# tcpdump -r aloft.cap
reading from file file.cap, link-type EN10MB (Ethernet)
21:06:27.179580 IP > P 174443707:174443759(52) ack 315242176 win 9648

Above Command will read the captured packets from the file.

Example: 8

To watch all incoming HTTP requests on interface eth0:

[root@localhost ~]#tcpdump -i eth0 dst port 80

Example: 9

To capture the first 25 packets on eth0 and then quit,

[root@localhost ~]# tcpdump -i eth0 -c 25 -n

Example: 10

To display all ICMP packets sent on eth0:

[root@localhost ~]#tcpdump icmp -i eth0


Tagged With : ,

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.