Network Traffic Capture In Linux - Tcpdump Examples

Linux tcpdump

tcpdump is a tool used for network packet capturing or packet analyzer that works for most of the unix-like operating systems. Also you can call as packet sniffer that operates on packet level. It allows users to capture and display TCP/IP and other packets being transmitted or receive over network to which computer is attached. Tcpdump tools allows us to save captured packets on to a file and later on file can be viewed by the same tcpdump command. You can save the whole packets or part of the packets (header). This tool is useful for debugging network related programmes.

Running tcpdump tool requires root access. If you run tcpdump command without argument, it will capture only the first interface.

Example: 1

[[email protected] ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:40:05.476058 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 1332790522:1332790638(116) ack 1730983578 win 9648
20:40:05.540049 IP 192.168.1.115.timbuktu-srv2 > 192.168.1.100.ssh: . ack 116 win 65143
20:40:05.540063 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 116:232(116) ack 1 win 9648
20:40:05.479050 IP 192.168.1.100.filenet-nch > 218.248.255.139.domain: 48326+ PTR? 115.1.168.192.in-addr.arpa. (44)
20:40:05.510808 IP 218.248.255.139.domain > 192.168.1.100.filenet-nch: 48326 NXDomain 0/1/0 (121)

By default, tcpdump produces one line of text per every packet it intercepts. Each line starts with a time stamp and tells when packet is arrived.

a) Time of packet arival 20:40:05.476058

b) Protocol Name: IP tcpdump understands very limited number of protocols. It won't tell you the difference between packets belonging to HTTP (for instance FTP stream). Instead, it will mark such packets as IP packets. It has some limited understanding of TCP. For instance, it identifies TCP synchronization packets such as SYN, ACK and FIN.

c) Source and Destination IP address (192.168.1.100.ssh > 192.168.1.115): For IP packets, these are IP address. For other protocols, tcpdump does not print any identifiers unless explicitly asked to do so.

d) Information about the Packets: (: P 1332790522:1332790638(116) ack 1730983578 win 9648 For instance, it prints TCP sequence number.

Example: 2

Packet Capturing for selected Interface.

[[email protected] ~]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:54:42.574296 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 1333246686:1333246802(116) ack 1730991782 win 12456
20:54:42.631981 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 116:232(116) ack 1 win 12456

With above command, we can dump how many packets arrived and sent through an eth0 interface.

Example: 3

Ignoring the packets belong to particular service. Here we are ignoring the ssh service packets.

[[email protected] ~]# tcpdump -i eth0 not port 22

Example: 4

[[email protected] ~]# tcpdump -c 10 -i eth0

It tells tcpdump to limit number of packets that intercepts. You can specify number of packets you want see. Tcpdump will capture that number of packets and exit.

Example: 5

[[email protected] ~]# tcpdump -ni eth0 -c 10 not port 22

Above command limit number of packets, it intercepts to 10 and ignores the packets belonging to the port number 22.

Example: 6

Saving captured packets to a files,

[[email protected] ~]# tcpdump -w aloft.cap -s 0

By default, when capturing packets into a file, it will save only 68 bytes of the data from the each packet. Rest of the information is ignored.

In the above command, switch –s tells tcpdump how many bytes for each packets to save and specify 0 as packets snapshot length tells tcpdump to save whole packet.

Example: 7

Reading from captured file:

[[email protected] ~]# tcpdump -r aloft.cap
reading from file file.cap, link-type EN10MB (Ethernet)
21:06:27.179580 IP 192.168.1.100.ssh > 192.168.1.115.triquest-lm: P 174443707:174443759(52) ack 315242176 win 9648

Above Command will read the captured packets from the file.

Example: 8

To watch all incoming HTTP requests on interface eth0:

[[email protected] ~]#tcpdump -i eth0 dst port 80

Example: 9

To capture the first 25 packets on eth0 and then quit,

[[email protected] ~]# tcpdump -i eth0 -c 25 -n

Example: 10

To display all ICMP packets sent on eth0:

[[email protected] ~]#tcpdump icmp -i eth0

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.