Contents...
In this tutorial you will learn how to install tcpdump and some command example. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed.
It’s open-source network utility that is freely available under the BSD license. Tcpdump works on the command line interface and provides descriptions of packet content in several formats, depending on the command used.
This is primarily a network monitoring and management utility that captures and records TCP/IP data on the run time. Tcpdump is designed to provide statistics about the number of packets received and captured at the operating node for network performance analysis, debugging and diagnosing network bottlenecks and other network oriented tasks.
You may also like:
Install tcpdump on CentOS/RHEL System
Follow the below steps to install tcpdump on CentOS/RHEL system.
1. Run the below command to verify whether tcpdump is installed or not.
# tcpdump -D -bash: tcpdump: command not found
2. If not install run the below command to install it.
# yum install tcpdump -y
3. Show available interface that can be monitor.
# tcpdump -D 1.eth0 2.usbmon1 (USB bus number 1) 3.usbmon2 (USB bus number 2) 4.any (Pseudo-device that captures on all interfaces) 5.lo
4. Check the installed version of tcpdump on CentOS 6.x.
# tcpdump --version
tcpdump version 4.1-PRE-CVS_2015_07_23
libpcap version 1.4.0
Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -P in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]
5. Check the installed version of tcpdump on CentOS 7.x.
# tcpdump --version
tcpdump: invalid option -- '-'
tcpdump version 4.5.1
libpcap version 1.5.3
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -P in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]
Basic Tcpdump Command Examples
Show the HTTPs Traffic
# tcpdump -nnSX port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 22:24:44.638181 IP 192.168.63.207.51909 > 216.58.196.106.443: UDP, length 33 0x0000: 0eb2 d85d dc39 88e9 fe80 f2ee 0800 4500 ...].9........E. 0x0010: 003d d52e 0000 4011 0865 c0a8 3fcf d83a [email protected]..?..: 0x0020: c46a cac5 01bb 0029 5473 481c 942c ee01 .j.....)TsH..,.. 0x0030: 466b 662d 5d8d 0b6d e459 87e2 c993 b2d5 Fkf-]..m.Y...... 0x0040: 179f d0e2 91b4 1cca 3606 ac ........6.. 22:24:44.735185 IP 216.58.196.106.443 > 192.168.63.207.51909: UDP, length 28 0x0000: 88e9 fe80 f2ee 0eb2 d85d dc39 0800 4580 .........].9..E. 0x0010: 0038 0000 4000 3511 a818 d83a c46a c0a8 [email protected]....:.j.. 0x0020: 3fcf 01bb cac5 0024 bce1 4e83 76fc 3129 ?......$..N.v.1) 0x0030: 3c69 8655 3736 57c9 0374 ba71 7f24 780e <i.U76W..t.q.$x. 0x0040: b22f 3686 f2f0
Above command will show the HTTPs traffic, In the right side of the output ( it is encrypted ). Like this you can change the port as per your choice.
Monitor All Traffic on Ethernet/Interface
First find the interface which you want to monitor in my example I am running tcpdump command in en0. In your case it should be eth0.
# netstat -I Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll lo0 16384 <Link#1> 5596 0 5596 0 0 lo0 16384 127 localhost 5596 - 5596 - - lo0 16384 localhost ::1 5596 - 5596 - - lo0 16384 fe80::1%lo0 fe80:1::1 5596 - 5596 - - gif0* 1280 <Link#2> 0 0 0 0 0 stf0* 1280 <Link#3> 0 0 0 0 0 XHC0* 0 <Link#4> 0 0 0 0 0 XHC20 0 <Link#5> 0 0 0 0 0 en0 1500 <Link#6> 88:e9:fe:80:f2:ee 3842012 0 2944930 0 0 en0 1500 bhi-l0230s- fe80:6::140b:4c29 3842012 - 2944930 - - en0 1500 192.168.63 192.168.63.207 3842012 - 2944930 - - p2p0 2304 <Link#7> 0a:e9:fe:80:f2:ee 0 0 0 0 0 awdl0 1484 <Link#8> 02:84:28:91:17:72 0 0 214 0 0 awdl0 1484 fe80::84:28 fe80:8::84:28ff:f 0 - 214 - - en1 1500 <Link#9> 9e:00:01:61:d8:01 0 0 0 0 0 en2 1500 <Link#10> 9e:00:01:61:d8:00 0 0 0 0 0 bridg 1500 <Link#11> 9e:00:01:61:d8:01 0 0 0 0 0 utun0 2000 <Link#12> 0 0 17 0 0 utun0 2000 bhi-l0230s- fe80:c::bec2:7439 0 - 17 - -
Now run the below command.
# tcpdump -I en0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:33:43.964384 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33 22:33:43.966916 IP 192.168.63.207.50525 > dns.google.domain: 49613+ PTR? 14.194.250.142.in-addr.arpa. (45) 22:33:44.061246 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 304 22:33:44.073895 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 26 22:33:44.128842 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 32 22:33:44.137628 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33 22:33:44.330450 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33 22:33:44.334775 IP del11s05-in-f10.1e100.net.https > 192.168.63.207.51909: UDP, length 161 22:33:44.335162 IP dns.google.domain > 192.168.63.207.50525: 49613 1/0/0 PTR del12s01-in-f14.1e100.net. (84) 22:33:44.336305 IP 192.168.63.207.49721 > dns.google.domain: 11898+ PTR? 8.8.8.8.in-addr.arpa. (38) 22:33:44.341516 IP 192.168.63.207.51909 > del11s05-in-f10.1e100.net.https: UDP, length 33 22:33:44.374333 IP dns.google.domain > 192.168.63.207.49721: 11898 1/0/0 PTR dns.google. (62) 22:33:44.377167 IP 192.168.63.207.52051 > dns.google.domain: 16557+ PTR? 106.196.58.216.in-addr.arpa. (45) 22:33:44.386004 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 26 22:33:44.386007 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 464 22:33:44.386298 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 39 22:33:44.392256 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 36 22:33:44.396716 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 137 22:33:44.399764 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33 22:33:44.424452 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 26
Monitor Traffic by IP Address
You can also monitor traffic by IP address this is the most common command which is used.
# tcpdump host 13.234.208.117 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 22:45:57.367013 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [S], seq 3539239920, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 310135746 ecr 0,sackOK,eol], length 0 22:45:57.443581 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [S.], seq 2896228504, ack 3539239921, win 26847, options [mss 1370,sackOK,TS val 466856669 ecr 310135746,nop,wscale 7], length 0 22:45:57.443629 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [.], ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 0 22:45:57.444190 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [.], seq 1:1359, ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 1358: HTTP: POST /wp-admin/admin-ajax.php HTTP/1.1 22:45:57.444198 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [P.], seq 1359:1367, ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 8: HTTP 22:45:57.444566 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [P.], seq 1367:1599, ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 232: HTTP 22:45:57.526735 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [.], ack 1367, win 232, options [nop,nop,TS val 466856691 ecr 310135822], length 0 22:45:57.526737 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [.], ack 1599, win 253, options [nop,nop,TS val 466856691 ecr 310135822], length 0 22:45:57.759167 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [P.], seq 1:699, ack 1599, win 253, options [nop,nop,TS val 466856748 ecr 310135822], length 698: HTTP: HTTP/1.1 200 OK
Filter Traffic by Source & Destination
Run the below command to capture the Source traffic.
# tcpdump src 13.234.208.117 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes 22:49:12.316783 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64732: Flags [F.], seq 2354751256, ack 1264243161, win 231, options [nop,nop,TS val 466905387 ecr 310324778], length 0 22:49:12.394468 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64732: Flags [.], ack 2, win 231, options [nop,nop,TS val 466905406 ecr 310329720], length 0 22:49:12.394471 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64732: Flags [.], ack 2, win 231, options [nop,nop,TS val 466905406 ecr 310329720], length 0 22:49:20.285971 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [S.], seq 1494685197, ack 2749736154, win 26847, options [mss 1370,sackOK,TS val 466907380 ecr 310337605,nop,wscale 7], length 0 22:49:20.362461 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 1369, win 232, options [nop,nop,TS val 466907399 ecr 310337663], length 0 22:49:20.362466 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 4085, win 274, options [nop,nop,TS val 466907399 ecr 310337663], length 0 22:49:20.443259 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 5443, win 295, options [nop,nop,TS val 466907419 ecr 310337738], length 0 22:49:20.443262 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 6801, win 316, options [nop,nop,TS val 466907419 ecr 310337738], length 0 22:49:20.443263 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 8159, win 338, options [nop,nop,TS val 466907419 ecr 310337738], length 0 22:49:20.447846 IP ec2-13-234-208-117.ap-south-1.
Run the below command to capture the Destination traffic.
# tcpdump src 192.168.63.207
Capture the Packets by Network
To capture the packets by network and subnet use the net command.
# tcpdump net 192.168.0.0/24
Find the Packet Related with Specific Port
You can also capture the packets using specific port following port number.
tcpdump port 3306 tcpdump src port 2022
Capture Packet Using Protocol
TCP, UDP, ICMP etc.. can also we captured using below command.
# tcpdump icmp
Get only IPv6 Traffic
Now can also show the traffic for particular protocol option.
# tcpdump ip6
Find Traffic Using Port Range
Use port range to find the traffic.
# tcpdump portrange 21-23
PCAP File Creation using tcpdump
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.
If you want to save the packet in a file to analysis in future. You can use the below command to make a PCAP file it is also called PEE-cap files. Follow the below command to writing all output in a file.
# tcpdump -r captured_file.pcap
FAQS
What is the tcpdump?
tcpdump is command line tool for packet analyzar. Basically using tcpdump command we can analyse network traffic by intercepting and displaying packets that are being created.
How to stop tcpdump command?
In linux based operating system you can stop tcpdump command pressing Ctrl + C key combination.
Where tcpdump command output saved?
If you want to save tcpdump file output you can use “-w” to save the captured TCP/IP packets to a file.
Which tool is better tcpdump or Wireshark?
For packet capturing both tools are best if the network is having less traffic, that is less than 1000 packet within 60 seconds. If the packets are increase Wireshark capture more with 0.5-1% gain. On behalf of this we can say that Wireshark beats tcpdump in speed of packet capturing.
How can I use tcpdump in Windows 10?
If you want to use tcpdump in windows system, run tcpdump -D command. This command will list all interface of the system. Now you can run the tcpdump command with ” -i ” as argument, Example : tcpdump -i eth0.
If you find this tutorial helpful please share with your friends to keep it alive. For more helpful topic browse my website www.looklinux.com. To become an author at LookLinux Submit Article. Stay connected to Facebook.
Leave a Comment