The tcpdump is the most essential and powerful command-line network packet sniffing tool. We use it to analyze network packets, capture or filter TCP/IP packets that transferred and received over the network on a specific network interface.
It is available in almost all Linux/Unix based operating systems. You can also save captured packets in a file to analyze later using tcpdump utility. It saves the file in pcap format, which is viewed by a tcpdump command or a GUI based Network Protocol Analyzer tool called Wireshark.
Install tcpdump in Linux
Most of the Linux has a preinstalled tcpdump tool, but if you don’t find it in your operating system, you can install it by using the below command.
# yum install tcpdump
or
# apt-get install tcpdump
Examples:
Once the tcpdump tool gets installed in your system, let’s check the capabilities of it by exploring tcpdump uses examples.
Capture packets from a specific interface
The tcpdump command output will scroll up until you stop by interrupt the screen. It will capture network packets from all interfaces.
If you want to capture packets of a specific interface, use the “-i” parameter with the network interface name, as shown below:
# tcpdump -i eth0
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:31:33.786441 IP test.linuxconcept.com.22222 > 161.35.9.18.58178: Flags [P.], seq 3094458190:3094459038, ack 2770200005, win 130, options [nop,nop,TS val 267985968 ecr 224214638], length 848 13:31:33.786702 IP 120.70.100.88.41049 > test.linuxconcept.com.22222: Flags [P.], seq 3969838919:3969839191, ack 2093883624, win 128, options [nop,nop,TS val 3128282415 ecr 267985737], length 272 13:31:33.786712 IP test.linuxconcept.com.22222 > 120.70.100.88.41049: Flags [.], ack 272, win 130, options [nop,nop,TS val 267985969 ecr 3128282415], length 0
Capture only N number of packets
By default, the tcpdump command captures all the packets but capturing the number of packages.
To define the number of packages to capture, use the “-c” parameter, as shown below:
# tcpdump -c 5 -i eth0
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:41:43.697413 IP 181.39.160.26.44127 > test.linuxconcept.com.22222: Flags [P.], seq 2716217592:2716217644, ack 450817790, win 141, options [nop,nop,TS val 3749669841 ecr 268595695], length 52 13:41:43.697429 IP test.linuxconcept.com.22222 > 181.39.160.26.44127: Flags [.], ack 52, win 130, options [nop,nop,TS val 268595880 ecr 3749669841], length 0 13:41:43.697499 IP test.linuxconcept.com.22222 > 181.39.160.26.44127: Flags [P.], seq 1:53, ack 52, win 130, options [nop,nop,TS val 268595880 ecr 3749669841], length 52 13:41:43.702902 IP test.linuxconcept.com.38082 > dns.google.domain: 39104+ PTR? 118.178.165.188.in-addr.arpa. (46) 13:41:43.703818 IP test.linuxconcept.com.22222 > 103.146.216.132.51578: Flags [P.], seq 554381587:554381795, ack 2331786414, win 407, length 208 5 packets captured 22 packets received by filter 0 packets dropped by kernel
Print captured packets in ASCII
We can use a tcpdump command to capture network packets in ASCII format.
To capture packets in ASCII format use the “-A” parameter with tcpdump command.
# tcpdump -A -i eth0
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:11:19.632002 IP netmon-1-bhs.ovh.ca > test.linuxconcept.com: ICMP echo request, id 18050, seq 1, length 12 E.. ..@...B..r%.. .q..L.F.... .q.............. 14:11:19.632025 IP test.linuxconcept.com > netmon-1-bhs.ovh.ca: ICMP echo reply, id 18050, seq 1, length 12 E.. ./..@.^.. .q.r%...T.F.... .q 14:11:19.634871 IP test.linuxconcept.com.58694 > dns.google.domain: 62038+ PTR? 113.178.32.178.in-addr.arpa. (45) E..I..@.@.o.[........F.5.5?d.V...........113.178.32.178.in-addr.arpa..... 14:11:19.635394 IP test.linuxconcept.com.22222 > 103.146.216.132.51578: Flags [P.], seq 554873027:554873235, ack 2331794206, win 501, length 208
Display Available Interfaces
We can find all available interfaces using the “tcpdump” command with the “-D” parameter.
# tcpdump -D
Output: 1.eth0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.usbmon2 (USB bus number 2) 6.any (Pseudo-device that captures on all interfaces) 7.lo
Display Captured Packets in HEX and ASCII
We can use the command “tcpdump” with the option “-XX” to capture network packets with a header of the packet in ASCII and HEX format:
# tcpdump -XX -i eth0
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:02:01.558546 IP test.linuxconcept.com.22222 > 191.243.244.17.newnet.net.br.38946: Flags [P.], seq 3613419648:3613419764, ack 641294408, win 130, options [nop,nop,TS val 349013741 ecr 136794308], length 116 0x0000: 0000 0c9f f001 0050 5601 eb7a 0800 4500 .......PV..z..E. 0x0010: 00a8 1aa5 4000 4006 6285 3624 d2fc bff3 ....@.@.b.6$.... 0x0020: f411 56ce 9822 d760 6880 2639 6048 8018 ..V..".`h.&9`H.. 0x0030: 0082 bdc0 0000 0101 080a 14cd 86ed 0827 ...............' 0x0040: 50c4 aa22 c226 6f59 e744 c031 76e9 830f P..".&oY.D.1v... 0x0050: 83c6 7cac d60a 8a78 0aa5 e8a4 75fa c445 ..|....x....u..E 0x0060: 375c 22cd ec30 8a0b 7c27 9277 9d13 557e 7\"..0..|'.w..U~ 0x0070: a87f fbea ede3 86e1 ee14 1268 9aa9 a5f4 ...........h.... 0x0080: 3abf 2386 417d a3ca 34cf 7364 80a0 227b :.#.A}..4.sd.."{ 0x0090: 2bbf 4731 5fab fd9d 1077 a722 e1ef 6421 +.G1_....w."..d! 0x00a0: 241d 0739 e1ab 65d7 8dda 77a9 c54d 3c11 $..9..e...w..M<. 0x00b0: 623c 9383 455a b<..EZ 12:02:01.563632 IP test.linuxconcept.com.37263 > dns.google.domain: 44886+ PTR? 252.210.36.54.in-addr.arpa. (44) 0x0000: 0000 0c9f f001 0050 5601 eb7a 0800 4500 .......PV..z..E. 0x0010: 0048 86f2 4000 4011 7495 5b86 d387 0808 .H..@.@.t.[..... 0x0020: 0808 918f 0035 0034 3f63 af56 0100 0001 .....5.4?c.V.... 0x0030: 0000 0000 0000 0332 3532 0332 3130 0233 .......252.210.3 0x0040: 3602 3534 0769 6e2d 6164 6472 0461 7270 6.54.in-addr.arp 0x0050: 6100 000c 0001 a..... 12:02:01.563738 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 470367094:470367302, ack 94554131, win 297, length 208 0x0000: 0000 0c9f f001 0050 5601 eb7a 0800 4510 .......PV..z..E. 0x0010: 00f8 ff28 4000 4006 ab88 5b86 d387 7aab ...(@.@...[...z. 0x0020: e585 56ce f54a 1c09 3b76 05a2 c813 5018 ..V..J..;v....P. 0x0030: 0129 9029 0000 c8ae 8314 41ce ae68 05f0 .).)......A..h.. 0x0040: 4d4d 234b 81e0 9364 a54d 8215 824a 363b MM#K...d.M...J6; 0x0050: 1882 0ec6 9573 e471 1c45 1692 f985 2923 .....s.q.E....)# 0x0060: 016a 1ce7 095c bf8a 8249 f8d1 6ed1 252f .j...\...I..n.%/ 0x0070: 8030 4236 000a 12f3 980f 7cc5 c49c a159 .0B6......|....Y 0x0080: 5f94 a634 8f98 0ff4 a446 8c5a 723c b450 _..4.....F.Zr<.P 0x0090: ce8e 4fd9 a0ec 592e 3cc8 4894 8bc1 a4d1 ..O...Y.<.H..... 0x00a0: 667c ffb6 e31e d332 7df6 ac30 d45e 078d f|.....2}..0.^.. 0x00b0: be7e 2877 6ed2 3fbd d702 923a 9f79 692c .~(wn.?....:.yi, 0x00c0: 6f44 95cf bb19 86d9 d969 ebcb e705 55d6 oD.......i....U. 0x00d0: 339f 02f4 9df2 1fe6 abb2 ce76 5cf6 cf1d 3..........v\... 0x00e0: d8cd 7704 a3d1 e9f2 e693 ab8b 3e60 e7c1 ..w.........>`.. 0x00f0: d1c3 87b3 2499 26ea 1a98 c569 8d9a 0987 ....$.&....i.... 0x0100: bb4d 53ed 35db
Capture and save packets in a file
We have the option to save the captured packet in file with “.pcap” file extension.
To save the output of “tcpdump” command use “-w” option along with file name, as shown below:
# tcpdump -w test.pcap -i eth0
Output: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 958 packets captured 958 packets received by filter 0 packets dropped by kernel
Read captured packets file
To read the “.pcap” file (previously shaved file of tcpdump output), we can use the “-r” option along with file name.
For example, here we open the file previously shaved (test.pcap).
# tcpdump -r test.pcap
Output: reading from file test.pcap, link-type EN10MB (Ethernet) 12:04:35.297658 IP 213.55.77.131.60710 > test.linuxconcept.com.22222: Flags [.], ack 1797938244, win 229, options [nop,nop,TS val 107893069 ecr 349167284], length 0 12:04:35.298354 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 470397670:470397814, ack 94560515, win 315, length 144 12:04:35.303841 IP test.linuxconcept.com.22222 > 213.55.77.131.60710: Flags [P.], seq 1:22, ack 0, win 114, options [nop,nop,TS val 349167486 ecr 107893069], length 21 12:04:35.308146 IP 40.118.226.96.59710 > test.linuxconcept.com.22222: Flags [.], ack 787966033, win 502, options [nop,nop,TS val 624491630 ecr 349167341], length 0 12:04:35.308284 IP test.linuxconcept.com.22222 > 40.118.226.96.59710: Flags [F.], seq 1, ack 0, win 114, options [nop,nop,TS val 349167490 ecr 624491630], length 0 12:04:35.312336 IP netmon-1-bhs.ovh.ca > test.linuxconcept.com: ICMP echo request, id 22989, seq 1, length 12 12:04:35.312353 IP test.linuxconcept.com > netmon-1-bhs.ovh.ca: ICMP echo reply, id 22989, seq 1, length 12 12:04:35.315190 IP 221.163.8.108.41442 > test.linuxconcept.com.22222: Flags [P.], seq 3489327707:3489327759, ack 3427759108, win 255, options [nop,nop,TS val 260931830 ecr 349167198], length 52 12:04:35.315227 IP test.linuxconcept.com.22222 > 221.163.8.108.41442: Flags [.], ack 52, win 130, options [nop,nop,TS val 349167497 ecr 260931830], length 0 12:04:35.315312 IP 221.163.8.108.41442 > test.linuxconcept.com.22222: Flags [F.], seq 52, ack 1, win 255, options [nop,nop,TS val 260931830 ecr 349167198], length 0
Capture IP address packets
To capture the IP address packet, we using tcpdump with “-n” option.
For example, here we are capturing the IP address packet on network interface “eth0”.
# tcpdump -n -i eth0
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:15:52.471209 IP 188.212.108.166.51896 > 178.32.178.123.22222: Flags [P.], seq 2082872080:2082872520, ack 581946862, win 242, options [nop,nop,TS val 1701193924 ecr 349844605], length 440 12:15:52.475908 IP 91.240.118.26.52543 > 151.80.161.134.connlcli: Flags [S], seq 3190900298, win 1024, length 0 12:15:52.475926 IP 151.80.161.134 > 91.240.118.26: ICMP host 151.80.161.134 unreachable - admin prohibited, length 48 12:15:52.476291 IP 101.124.70.81.33500 > 151.80.161.134.22222: Flags [P.], seq 1551073218:1551073490, ack 1194217497, win 234, options [nop,nop,TS val 1050240925 ecr 349844399], length 272 12:15:52.476306 IP 151.80.161.134.22222 > 101.124.70.81.33500: Flags [.], ack 272, win 130, options [nop,nop,TS val 349844658 ecr 1050240925], length 0 12:15:52.476321 IP 51.38.164.48.22222 > 120.195.65.124.43453: Flags [.], ack 3839450013, win 130, options [nop,nop,TS val 349844658 ecr 1125317819], length 0 12:15:52.484095 IP 151.80.161.134.22222 > 101.124.70.81.33500: Flags [P.], seq 1:849, ack 272, win 130, options [nop,nop,TS val 349844666 ecr 1050240925], length 848 12:15:52.484697 IP 92.222.186.1 > 51.38.255.49: ICMP echo request, id 18400, seq 1, length 12 12:15:52.484717 IP 51.38.255.49 > 92.222.186.1: ICMP echo reply, id 18400, seq 1, length 12 12:15:52.484785 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 470433494:470434790, ack 94566819, win 315, length 1296 12:15:52.484816 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 1296:1456, ack 1, win 315, length 160 12:15:52.484829 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 1456:1600, ack 1, win 315, length 144 12:15:52.485755 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 1600:2032, ack 1, win 315, length 432 12:15:52.486746 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 2032:2208, ack 1, win 315, length 176 12:15:52.487750 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 2208:2384, ack 1, win 315, length 176 12:15:52.488727 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 2384:2560, ack 1, win 315, length 176 12:15:52.489785 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 2560:2736, ack 1, win 315, length 176 12:15:52.490804 IP 91.134.211.135.22222 > 122.171.229.133.62794: Flags [P.], seq 2736:2912, ack 1, win 315, length 176
Capture only TCP Packets
We can use the “tcpdump” command to capture a specific type of network packet.
For example, to capture only tcp packet, we can use the command with tcp option, as shown below:
# tcpdump -i eth0 tcp
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:17:55.012335 IP host-37-205-51-40.bbcustomer.zsttk.net.56930 > test.linuxconcept.com.22222: Flags [P.], seq 1733692277:1733692549, ack 3777174224, win 242, options [nop,nop,TS val 63155187 ecr 349967113], length 272 12:17:55.012368 IP test.linuxconcept.com.22222 > host-37-205-51-40.bbcustomer.zsttk.net.56930: Flags [.], ack 272, win 130, options [nop,nop,TS val 349967194 ecr 63155187], length 0 12:17:55.017228 IP test.linuxconcept.com.22222 > host-37-205-51-40.bbcustomer.zsttk.net.56930: Flags [P.], seq 1:849, ack 272, win 130, options [nop,nop,TS val 349967199 ecr 63155187], length 848 12:17:55.021430 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 470503094:470503302, ack 94570803, win 352, length 208 12:17:55.023457 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 208:1088, ack 1, win 352, length 880 12:17:55.024398 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1088:1312, ack 1, win 352, length 224 12:17:55.026486 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1312:1536, ack 1, win 352, length 224 12:17:55.027392 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1536:1760, ack 1, win 352, length 224 12:17:55.028414 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1760:1984, ack 1, win 352, length 224 12:17:55.029423 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1984:2208, ack 1, win 352, length 224 12:17:55.030401 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 2208:2432, ack 1, win 352, length 224 12:17:55.030457 IP 192.241.142.120.42326 > test.linuxconcept.com.22222: Flags [.], ack 1814983449, win 281, options [nop,nop,TS val 149497081 ecr 349967143], length 0
Capture packet from a specific port
We also have an option with “tcpdump” command to capture network packet on a specific port. To use this feature, we can use the “port” parameter along with the port number.
For example, here in below command, we are capturing all network packets on interface eth0 use by port 22222.
# tcpdump -i eth0 port 22222
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:19:58.849371 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 470546806:470547014, ack 94576035, win 370, length 208 12:19:58.849703 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 208:448, ack 1, win 370, length 240 12:19:58.850573 IP 185.110.95.13.53020 > test.linuxconcept.com.22222: Flags [P.], seq 1401077534:1401077555, ack 1803848781, win 229, length 21 12:19:58.850600 IP test.linuxconcept.com.22222 > 185.110.95.13.53020: Flags [.], ack 21, win 115, length 0 12:19:58.851343 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 448:672, ack 1, win 370, length 224 12:19:58.851659 IP test.linuxconcept.com.22222 > 185.110.95.13.53020: Flags [P.], seq 1:841, ack 21, win 115, length 840 12:19:58.859329 IP test.linuxconcept.com.22222 > 125.137.191.215.44934: Flags [.], ack 2598588767, win 130, options [nop,nop,TS val 350091042 ecr 3275752464], length 0 12:19:58.863537 IP 57.135.74.177.digitalnetms.com.br.45630 > test.linuxconcept.com.22222: Flags [P.], seq 82013590:82014030, ack 4118870627, win 128, options [nop,nop,TS val 484899398 ecr 350090805], length 440 12:19:58.865603 IP 185.110.95.13.53020 > test.linuxconcept.com.22222: Flags [P.], seq 21:461, ack 841, win 242, length 440 12:19:58.872898 IP 162.14.18.148.47858 > test.linuxconcept.com.22222: Flags [.], ack 1628027115, win 141, options [nop,nop,TS val 3554601319 ecr 350090862], length 0
Capture packets from source IP
There is an option to capture those network packet generated by a specific source IP.
To capture those packets by using “tcpdump” command, we can use the option “src” along with source IP, as shown below:
# tcpdump -i eth0 src 192.168.7.5
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:25:08.147693 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 470622838:470623046, ack 94595043, win 443, length 208 12:25:08.149510 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 208:448, ack 1, win 443, length 240 12:25:08.150511 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 448:672, ack 1, win 443, length 224 12:25:08.150697 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 672:896, ack 1, win 443, length 224 12:25:08.152365 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 896:1120, ack 1, win 443, length 224 12:25:08.153424 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1120:1344, ack 1, win 443, length 224 12:25:08.154335 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1344:1568, ack 1, win 443, length 224 12:25:08.155357 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1568:1792, ack 1, win 443, length 224 12:25:08.156354 IP test.linuxconcept.com.22222 > abts-kk-dynamic-133.229.171.122-airtelbroadband.in.62794: Flags [P.], seq 1792:2016, ack 1, win 443, length 224 12:25:08.185088 IP test.linuxconcept.com.56453 > dns.google.domain: 16982+ A? 177.43.78.58.static.gvt.net.br. (48) 12:25:08.194741 IP test.linuxconcept.com.38211 > dns.google.domain: 38601+ A? 177.43.78.58.static.gvt.net.br.sendyspark.com. (63)
Capture packets from destination IP
As the above example, we also have the option to capture network packet using the destination address.
To capture those packets by using “tcpdump” command, we can use the option “dst” along with destination IP, as shown below:
# tcpdump -i eth0 dst 177.43.78.58
Output: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:55:01.798591 IP 192.168.7.5.59896 > 177.43.78.58.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0 10:55:05.527476 IP 192.168.7.5.59894 > 177.43.78.58.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0 10:55:05.626027 IP 192.168.7.5.59894 > 177.43.78.58.http: Flags [.], ack 2, win 245, options [nop,nop,TS val 7959537 ecr 804759787], length 0
0 Comments