Tcpdump Command in Linux

Posted 

11 min read

tcpdump is a command-line utility that you can use to capture and inspect network traffic going to and from your system. It is the most commonly used tool among network administrators for troubleshooting network issues and security testing.

Despite its name, with tcpdump, you can also capture non-TCP traffic such as UDP, ARP, or ICMP. The captured packets can be written to a file or standard output. One of the most powerful features of the tcpdump command is its ability to use filters and capture only the data you wish to analyze.

In this article, we will cover the basics of how to use the tcpdump command in Linux.

Installing tcpdump

tcpdump is installed by default on most Linux distributions and macOS. To check if the tcpdump command is available on your system type:

tcpdump --version

The output should look something like this:

tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.1.1b  26 Feb 2019

If tcpdump is not present on your system, the command above will print “tcpdump: command not found”. You can easily install tcpdump using the package manager of your distro.

Installing tcpdump on Ubuntu and Debian

sudo apt update && sudo apt install tcpdump

Installing tcpdump on CentOS and Fedora

sudo yum install tcpdump

Installing tcpdump on Arch Linux

sudo pacman -S tcpdump

Capturing Packets with tcpdump

The general syntax for the tcpdump command is as follows:

tcpdump [options] [expression]
  • The command options allow you to control the behavior of the command.
  • The filter expression defines which packets will be captured.

Only root or user with sudo privileges can run tcpdump. If you try to run the command as an unprivileged user, you’ll get an error saying: “You don’t have permission to capture on that device”.

The most simple use case is to invoke tcpdump without any options and filters:

sudo tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:24.248737 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
15:47:24.248785 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36
15:47:24.248828 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

... Long output suppressed

23116 packets captured
23300 packets received by filter
184 packets dropped by kernel

tcpdump will continue to capture packets and write to the standard output until it receives an interrupt signal. Use Ctrl+C key combination to send an interrupt signal and stop the command.

For more verbose output, pass the -v option, or -vv for even more verbose output:

sudo tcpdump -vv

You can specify the number of packets to be captured using the -c option. For example, to capture only ten packets you would type:

sudo tcpdump -c 10

After capturing the packets, tcpdump will stop.

When no interface is specified, tcpdump uses the first interface it finds and dumps all packets going through that interface.

Use the -D option to print a list of all available network interfaces that tcpdump can collect packets from:

sudo tcpdump -D

For each interface, the command prints the interface name, a short description, and an associated index (number):

1.ens3 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]

The output above shows that ens3 is the first interface found by tcpdump and used when no interface is provided to the command. The second interface any is a special device that allows you to capture all active interfaces.

To specify the interface on which you want to capture traffic, invoke the command with the -i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify the any interface:

sudo tcpdump -i any

By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the -n option to disable the translation:

sudo tcpdump -n

Skipping the DNS lookup avoids generating DNS traffic and makes the output more readable. It is recommended to use this option whenever you invoke tcpdump.

Instead of displaying the output on the screen, you can redirect it to a file using the redirection operators > and >>:

sudo tcpdump -n -i any > file.out

You can also watch the data while saving to a file using the tee command:

sudo tcpdump -n -l | tee file.out

The -l option in the command above tells tcpdump to make the output line buffered. When this option is not used, the output will not be written on the screen when a new line is generated.

Understanding the tcpdump Output

tcpdump outputs information for each captured packet on a new line. Each line includes a timestamp and information about that packet, depending on the protocol.

The typical format of a TCP protocol line is as follows:

[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]

Let’s go field by field and explain the following line:

15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108
  • 15:47:24.248737 - The timestamp of the captured packet is in local time and uses the following format: hours:minutes:seconds.frac, where frac is fractions of a second since midnight.

  • IP - The packet protocol. In this case, IP means the Internet protocol version 4 (IPv4).

  • 192.168.1.185.22 - The source IP address and port separated by a dot (.).

  • 192.168.1.150.37445 - The destination IP address and port separated by a dot (.).

  • Flags [P.] - TCP Flags field. In this example, [P.] means Push Acknowledgment packet, which is used to acknowledge the previous packet and send data. Other typical flag field values are as follows:

    • [.] - ACK (Acknowledgment)
    • [S] - SYN (Start Connection)
    • [P] - PSH (Push Data)
    • [F] - FIN (Finish Connection)
    • [R] - RST (Reset Connection)
    • [S.] - SYN-ACK (SynAcK Packet)
  • seq 201747193:201747301 - The sequence number is in the first:last notation. It shows the number of data contained in the packet. Except for the first packet in the data stream where these numbers are absolute, all subsequent packets use as relative byte positions. In this example, the number is 201747193:201747301, meaning that this packet contains bytes 201747193 to 201747301 of the data stream. Use the -S option to print absolute sequence numbers.

  • ack 1226568763 The acknowledgment number is the sequence number of the next data expected by the other end of this connection.

  • win 402 - The window number is the number of available bytes in the receiving buffer.

  • options [nop,nop,TS val 1051794587 ecr 2679218230] - TCP options. nop, or “no operation” is padding used to make the TCP header multiple of 4 bytes. TS val is a TCP timestamp, and ecr stands for an echo reply. Visit the IANA documentation for more information about TCP options.

  • length 108 - The length of payload data

tcpdump Filters

When tcpdump is invoked with no filters, it captures all traffic and produces a huge amount of output that makes it very difficult to find and analyze the packets of interest.

Filters are one of the most powerful features of the tcpdump command. They since they allow you to capture only those packets matching the expression. For example, when troubleshooting issues related to a webserver you can use filters to obtain only the HTTP traffic.

tcpdump uses the Berkeley Packet Filter (BPF) syntax to filter the captured packets using various machining parameters such as protocols, source and destination IP addresses and ports, etc.

In this article, we’ll take a look at some of the most common filters. For a list of all available filters, check the pcap-filter manpage.

Filtering by Protocol

To restricts the capture to a particular protocol, specify the protocol as a filter. For example, to capture only the UDP traffic you would use:

sudo tcpdump -n udp

Another way to define the protocol is to use the proto qualifier, followed by the protocol number. The following command will filter the protocol number 17 and produce the same result as the one above:

sudo tcpdump -n proto 17

For more information about the numbers, check the IP protocol numbers list.

Filtering by Host

To capture only packets related to a specific host use the host qualifier:

sudo tcpdump -n host 192.168.1.185

The host can be either an IP address or a name.

You can also filter the output to a given IP range using the net qualifier. For example, to dump only packets related to 10.10.0.0/16 you would use:

sudo tcpdump -n net 10.10

Filtering by Port

To limit capture only to packets from or to a specific port, use the port qualifier. The command below captures packets related to the SSH (port 22) service by using this command:

sudo tcpdump -n port 23

The portrange qualifier allows you to capture traffic in a range of ports:

sudo tcpdump -n portrange 110-150

Filtering by Source and Destination

You can also filter packets based on the source or destination port or host using the are src, dst, src and dst, and src or dst qualifiers.

The following command captures coming packets from host with IP 192.168.1.185:

sudo tcpdump -n src host 192.168.1.185

To find the traffic coming from any source to port 80 you would use:

sudo tcpdump -n dst port 80

Complex Filters

Filters can be combined using the and (&&), or (||), and not (!) operators.

For example, to capture all HTTP traffic coming from a source IP address 192.168.1.185 you would use this command:

sudo tcpdump -n src 192.168.1.185 and tcp port 80

You can also use parentheses to group and create more complex filters:

sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'

To avoid parsing errors when using special characters, enclose the filters inside single quotes.

Here is another example command to capture all traffic except SSH from a source IP address 192.168.1.185:

sudo tcpdump -n src 192.168.1.185 and not dst port 22

Packet Inspection

By default tcpdump, captures only the packet headers. However, sometimes you may need to inspect the content of the packets.

tcpdump allows you to print the content of the packets in ASCII and HEX.

The -A option tells tcpdump to print each packet in ASCII and -x in HEX:

sudo tcpdump -n -A

To show the packet’s contents in both HEX and ASCII use the -X option:

sudo tcpdump -n -X

Reading and Writing Captures to a File

Another useful feature of tcpdump is to write the packets to a file. This is handy when you are capturing a large number of packets or when you want to capture packets for later analysis.

To start writing to a file, use the -w option followed by the output capture file:

sudo tcpdump -n -w data.pcap

This command above will save the capture to a file named data.pcap. You can name the file as you want, but it is a common convention to use the .pcap extension (packet capture).

When -w option is used, the output is not displayed on the screen. tcpdump writes raw packets and creates a binary file that cannot be read with a regular text editor.

To inspect the contents of the file, invoke tcpdump with the -r option:

sudo tcpdump -r data.pcap

If you want run tcpdump in the background , add the ampersand symbol (&) at the end of the command.

The capture file can also be inspected with other packet analyzer tools such as Wireshark.

When capturing packets over a long period of time, you can enable file rotation. tcpdump allows you to create new files of a or to rotate the dump file on a specified time interval or fixed size. The following command will create up to ten 200MB files, named file.pcap0, file.pcap1, and so on: before overwriting older files.

sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap

Once ten files are generated, the older files will be overwritten.

Please note that you should only run tcpdump only during troubleshooting issues.

If you want to start tcpdump on a specific time, you can use a cronjob . tcpdump doesn’t have an option to exit after a given time. You can use the timeout command to stop tcpdump after some time. For example, to exit after 5 minutes you would use:

sudo timeout 300 tcpdump -n -w data.pcap

Conclusion

tcpdump is a command-line tool for analyzing and troubleshooting network related issues.

This article introduced you to the basics of tcpdump usage and syntax. For more in-depth documentation, visit the tcpdump website.

If you have any questions or feedback, feel free to leave a comment.