Powerful Network Packet Analyzer: tcpdump Commands & Examples

A-digital-illustration-featuring-a-variety-of-networking-tools-all-labeled
02/12/2024 •

Definition – tcpdump Command

tcpdump Command is a powerful and widely used command-line packet analyzer for capturing, displaying, and analyzing network packets on a Unix or Unix-like system. It allows users to inspect the traffic flowing on a network interface in real-time or to save the captured packets to a file for later analysis. tcpdump Command is an essential tool for network administrators, security professionals, and system troubleshooters.

Here are some key aspects of tcpdump Command:

Basic Syntax:

    tcpdump [options] [expression]

Key Features

  1. Packet Capture:
    • tcpdump captures packets as they traverse a network interface. It can capture all packets or filter based on specific criteria.
  2. Packet Display:
    • Captured packets are displayed in real-time, providing details such as source and destination IP addresses, protocol, port numbers, and payload content.
  3. Filtering:
    • Users can apply filters to capture specific types of packets. Filters can be based on source or destination addresses, port numbers, protocols, and more.
  4. Promiscuous Mode:
    • tcpdump can be run in promiscuous mode, allowing it to capture all packets on the network, including those not addressed to the host where tcpdump is running.

Commonly Used tcpdump Command Options

  • -i, –interface [interface]:
    • Specifies the network interface to capture packets.
    tcpdump -i eth0

  • -n, –numeric:
    • Displays numerical IP addresses and port numbers instead of resolving them to hostnames and service names.
    tcpdump -n

  • -X:
    • Prints the data of each packet in both hex and ASCII format.
    tcpdump -X

  • -c, –count [number]:
    • Limits the number of packets to capture.
    tcpdump -c 10

  • -s, –snaplen [length]:
    • Sets the snapshot length for each packet. Useful for truncating packet data.
    tcpdump -s 1500

  • -w, –write [file]:
    • Writes the captured packets to a file for later analysis.
    tcpdump -w capture.pcap

  • -r, –read [file]:
    • Reads packets from a saved capture file.
    tcpdump -r capture.pcap

Filtering Expressions

tcpdump Command supports a rich set of filtering expressions to capture specific types of packets. Some examples include:

  • Host Filtering:
    • Capture packets to or from a specific host.
    tcpdump host 192.168.1.1

  • Port Filtering:
    • Capture packets with a specific source or destination port.
    tcpdump port 80

  • Protocol Filtering:
    • Capture packets of a specific protocol (e.g., TCP, UDP).
    tcpdump tcp

  • Combining Filters:
    • Combine multiple filters using logical operators.
    tcpdump host 192.168.1.1 and port 80

Examples

  1. Capture and Display Packets on a Specific Interface:
    tcpdump -i eth0

  1. Capture HTTP Traffic:
    tcpdump -i eth0 port 80

  1. Capture DNS Queries:
    tcpdump -i eth0 port 53

  1. Capture and Write Packets to a File for Later Analysis:
    tcpdump -i eth0 -w capture.pcap

  1. Read and Display Packets from a Saved File:
    tcpdump -r capture.pcap

tcpdump is a versatile tool that plays a crucial role in network analysis, troubleshooting, and security monitoring. Its flexibility and ability to capture and analyze network packets make it a valuable asset for network administrators and security professionals.

Examples of tcpdump commands with filtering expressions to capture specific types of network traffic:

1. Capture DNS Queries and Responses:

Capture DNS queries and responses on port 53:

    sudo tcpdump -i eth0 -n 'udp port 53'

2. Capture HTTP GET Requests:

Capture HTTP GET requests on port 80:

    sudo tcpdump -i eth0 -n 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

3. Capture ICMP Echo Requests (Ping):

Capture ICMP echo requests (ping) packets:

    sudo tcpdump -i eth0 -n 'icmp[icmptype] == 8'

4. Capture FTP Traffic:

Capture FTP control channel traffic on ports 21 and 20:

    sudo tcpdump -i eth0 -n 'tcp port 21 or tcp port 20'

5. Capture Telnet Traffic:

Capture Telnet traffic on port 23:

    sudo tcpdump -i eth0 -n 'tcp port 23'

6. Capture SMTP Traffic:

Capture SMTP traffic on port 25:

    sudo tcpdump -i eth0 -n 'tcp port 25'

7. Capture ARP Requests:

Capture ARP requests:

    sudo tcpdump -i eth0 -n 'arp'

8. Capture SYN Packets (TCP Handshake):

Capture TCP SYN packets to identify connection attempts:

    sudo tcpdump -i eth0 -n 'tcp[13] == 2'

9. Capture UDP Packets Larger Than a Certain Size:

Capture UDP packets larger than 1500 bytes:

    sudo tcpdump -i eth0 -n 'udp and greater 1500'

10. Capture IPv6 Traffic:

Capture IPv6 traffic:

    sudo tcpdump -i eth0 -n 'ip6'

These examples showcase the versatility of tcpdump command by using various filtering expressions to capture specific types of network traffic. The command syntax may appear complex, but it allows for precise packet filtering based on specific criteria, making it a powerful tool for network analysis and troubleshooting.

https://www.tcpdump.org

https://sanchitgurukul.com/basic-networking

https://sanchitgurukul.com/network-security

Tutorial
How To
Disclaimer: This article may contain information that was accurate at the time of writing but could be outdated now. Please verify details with the latest vendor advisories or contact us at admin@sanchitgurukul.com.

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading