Tcpdump is an important tool used in Linux. We use this tool with linux tcpdump command. In this lesson, we will focus on this key Linux command and learn options used with this command. First of all let’s start with what is tcpdump and continue with different Linux tcpdump examples.
Table of Contents
What is tcpdump?
Tcpdump is a packet sniffing and analyzing tool used in Linux. This tool especially very important for troubleshooting activities for Linux system administrators. With tcpdump, we can sniff packets going through our Linux system, we can analyze them and with these analyze, we can decide the missing points. This is one of the most used troubleshooting methods.
We use this tool by using tcpdump command in Linux. When we use this command without any options, it sniffs all the packets going or coming through the system continuously. But we can use Linux tcpdump command with different options. Below, we will talk about tcpdump options and different Linux tcpdump examples.
Tcpdump can be installed on some Linux systems and not on others. In Kali Linux, it is already installed. But to learn about it, you can use also a command. This command is “which tcpdump”. When you use “which tcpdump command”, it will return a path which whows the location of tcpdump. This means that, it is insatalled on your system. If it does not give any path, then you should install tcpdump to use it.
root@kali:/home/kali# which tcpdump
/usr/sbin/tcpdump
How to install tcpdump no Linux?
Installing tcpdump on Linux is a simple process. We can do this with a single command on different Linux distributions. To install tcpdump on RedHat based Linux systems, you can use
yum install tcpdump
To install tcpdump on Ubuntu/Debian based Linux systems, you can use
apt install tcpdump
Linux tcpdump Examples
Tcpdump is a capturing tool that we will use on our Linux system a lot. So, here, we will give different Linux tcpdump examples to learn this important command better.
Listing Interfaces With tcpdump
First of all, let’s start with -D option. We use tcpdump -D command to list the available interfaces that we can do packet sniffing on our system.
root@kali:/home/kali# tcpdump -D
1.eth0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.nflog (Linux netfilter log (NFLOG) interface) [none]
5.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
6.bluetooth0 (Bluetooth adapter number 0) [none]
Capturing Packets From Specific Interface
To capture packets from a specific interface, we can use tcpdump -i option. For example, if you want to capture only the packets going through interface eth0, you can use below command.
root@kali:/home/kali# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Limiting Packet Count
If we do not limit tcpdump, it continues to capture packets. But we can limit the number of captured packets. To do this , we will use tcpdump -c option For example, let’s limit packet capture with 5 packets.
root@kali:/home/kali# tcpdump -i eth0 -c 5
Removing Name Resolution of tcpdump
In troubleshooting, we use tcpdumpfor Linux too much. During this process, we need to see ip addresses and ports instead of names. So, we can disable name resolution. To disable name resolution, we use -n option and to disable port resolution, we use -nn option of tcpdump.
root@kali:/home/kali# tcpdump -i any -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
08:34:29.274720 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 44, length 64
08:34:29.302441 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 44, length 64
08:34:30.278205 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 45, length 64
root@kali:/home/kali# tcpdump -i any -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
08:35:10.515246 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 85, length 64
08:35:10.544615 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 85, length 64
08:35:11.531919 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 86, length 64
08:35:11.560266 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 86, length 64
Saving tcpdump Captures to a File
You do not want only capture the packets, but you want also save this capture into a file. To do this, you can use tcpdump -w option with the file name.
Let’s open another terminal and ping www.google.com from there and write these captures to file mycaptures.pcap.
kali@kali:~$ ping www.google.com
PING www.google.com (142.250.184.132) 56(84) bytes of data.
64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=1 ttl=128 time=28.9 ms
64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=2 ttl=128 time=28.5 ms
64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=3 ttl=128 time=28.1 ms
When we check files with Linux ls command, we can see the created file as “mycaptures.pcap”.
root@kali:/home/kali# ls -l
total 48
-rw-r--r-- 1 kali kali 7 Jun 11 2021 abc
-rw-r--r-- 1 kali kali 0 Jun 11 2021 abc1
-rw-r--r-- 1 kali kali 0 Jun 11 2021 abc2
-rw-r--r-- 1 tcpdump tcpdump 24 Sep 27 08:18 mycaptures.pcap
drwxr-xr-x 2 kali kali 4096 Aug 11 04:40 Desktop
drwxr-xr-x 2 kali kali 4096 Jan 27 2020 Documents
Reading tcpdump Captures from a File
Like writing captures to a file, we can also read captures from a file. To do this, we will use tcpdump command with -r option. Let’s read the captures that we have saved in the previous Linux tcpdump example.
root@kali:/home/kali# tcpdump -r mycaptures.pcap
reading from file mycaptures.pcap, link-type EN10MB (Ethernet)
08:28:01.329663 IP 192.168.239.130 > sof02s43-in-f4.1e100.net: ICMP echo request, id 1381, seq 4, length 64
08:28:01.357794 IP sof02s43-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1381, seq 4, length 64
08:28:02.334342 IP 192.168.239.130 > sof02s43-in-f4.1e100.net: ICMP echo request, id 1381, seq 5, length 64
08:28:02.363844 IP sof02s43-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1381, seq 5, length 64
As you can see, the pings’s ICMP packets are captured.
Capturing Specific Packets with tcpdump
Normally, we capture all the packets coming from our Linux system. To make this capture more specific, we have learned how to capture the packets which are coming or going through an interface. How about specific packets? We can specify the packets that we are looking for and we can capture only those packets.
For example, you are troubleshooting a BGP issue and you would like to check TCP connection. You can capture only tcp packets with writing tcp after tcpdump command.
root@kali:/home/kali# tcpdump tcp
Or, for the above example, we can capture only ICMP packets with the below command.
root@kali:/home/kali# tcpdump icmp
Capturing Specific Port Traffic with tcpdump
We can also capture the packets for a specific port. To do this, we will use port keyword and the number of that port after port keyword. For example, let’s capture telnet packets with port 23.
In another terminal, I start a telnet connection:
kali@kali:~$ telnet 100.0.0.1
Trying 100.0.0.1...
And in my terminal, I captured only telnet packets with port 23. As you know, telnet use port 23 by default.
root@kali:/home/kali# tcpdump port 23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:51:02.814320 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435067115 ecr 0,nop,wscale 7], length 0
08:51:03.846845 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435068148 ecr 0,nop,wscale 7], length 0
08:51:05.865229 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435070166 ecr 0,nop,wscale 7], length 0
Capturing Source & Destination Specific Traffic with tcpdump
We can capture the packets coming from a specific source or destination. To do this, we use src and dst keywords with the ip address of that specific source or destination. Or we can use the host name of it.
root@kali:/home/kali# tcpdump src 100.0.0.1
root@kali:/home/kali# tcpdump src www.google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:09:07.140390 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 1, length 64
09:09:08.143053 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 2, length 64
09:09:09.146453 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 3, length 64
09:09:10.149135 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 4, length 64
root@kali:/home/kali# tcpdump dst 205.0.0.5
root@kali:/home/kali# tcpdump dst www.google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:10:56.394844 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 1, length 64
09:10:57.399135 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 2, length 64
09:10:58.403576 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 3, length 64
HEX & ASCII Format Captures
If you would like to capture HEX format of the packets, you can use tcpdump -X option.
The first field is the timestamp field. It gives the local time of the capture.
The second field shows the network layer protocol. For our example, it is IPv4. So, IP is used. If it was IPv6, then this field would be IP6.
The third field is the packet source address and the source port.
The fift field is the the packet destination address and the destination port. Here, we have captured a telnet packet. So, the destination port is telnet default port 23.
After that there is a TCP Flags part. There are different values for this part. These are given below:
[.] – ACK (Acknowledgment)
[S] – SYN (Start Connection)
[P] – PSH (Push Data)
[F] – FIN (Finish Connection)
[R] – RST (Reset Connection)
[S.] – SYN-ACK (SynAcK Packet)
Then, there is a sequence number part which makes packet follow easier.
A window part is showed in the packet line. Window part shows available bytes in the receiving buffer.
The other part is TCP options part. Here, TS val shows TCP timestamp and ecr shows echo reply.
And the last field is the packetlength. It is displayed as a byte value.
Leave a Reply