tcpdump For Linux

Tcpdump is an important tool used in Linux. We use this tool with linux tcpdump command. In this lesson, we will focus on this key Linux command and learn options used with this command. First of all let’s start with what is tcpdump and continue with different Linux tcpdump examples.

 


 

What is tcpdump?

Tcpdump is a packet sniffing and analyzing tool used in Linux. This tool especially very important for troubleshooting activities for Linux system administrators. With tcpdump, we can sniff packets going through our Linux system, we can analyze them and with these analyze, we can decide the missing points. This is one of the most used troubleshooting methods.

 

We use this tool by using tcpdump command in Linux. When we use this command without any options, it sniffs all the packets going or coming through the system continuously. But we can use Linux tcpdump command with different options. Below, we will talk about tcpdump options and different Linux tcpdump examples.

 


You Can Also Check Linux Commands Cheat Sheet!


Is tcpdump installed on my Linux system?

Tcpdump can be installed on some Linux systems and not on others. In Kali Linux, it is already installed. But to learn about it, you can use also a command. This command is “which tcpdump”. When you use “which tcpdump command”, it will return a path which whows the location of tcpdump. This means that, it is insatalled on your system. If it does not give any path, then you should install tcpdump to use it.

 

root@kali:/home/kali# which tcpdump

/usr/sbin/tcpdump

 


 

How to install tcpdump no Linux?

Installing tcpdump on Linux is a simple process. We can do this with a single command on different Linux distributions. To install tcpdump on RedHat based Linux systems, you can use

 

yum install tcpdump

 

To install tcpdump on Ubuntu/Debian based Linux systems, you can use

 

apt install tcpdump

 


 

Linux tcpdump Examples

Tcpdump is a capturing tool that we will use on our Linux system a lot. So, here, we will give different Linux tcpdump examples to learn this important command better.

 

Listing Interfaces With tcpdump

First of all, let’s start with -D option. We use tcpdump -D command to list the available interfaces that we can do packet sniffing on our system.

 

root@kali:/home/kali# tcpdump -D

1.eth0 [Up, Running]

2.lo [Up, Running, Loopback]

3.any (Pseudo-device that captures on all interfaces) [Up, Running]

4.nflog (Linux netfilter log (NFLOG) interface) [none]

5.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]

6.bluetooth0 (Bluetooth adapter number 0) [none]

 


 

Capturing Packets From Specific Interface

To capture packets from a specific interface, we can use tcpdump -i option. For example, if you want to capture only the packets going through interface eth0, you can use below command.

 

root@kali:/home/kali# tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

 


 

Limiting Packet Count

If we do not limit tcpdump, it continues to capture packets. But we can limit the number of captured packets. To do this , we will use tcpdump -c option For example, let’s limit packet capture with 5 packets.

 

root@kali:/home/kali# tcpdump -i eth0 -c 5

 


 

Removing Name Resolution of tcpdump

In troubleshooting, we use tcpdump for Linux too much. During this process, we need to see ip addresses and ports instead of names. So, we can disable name resolution. To disable name resolution, we use -n option and to disable port resolution, we use -nn option of tcpdump.

 

root@kali:/home/kali# tcpdump -i any -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

08:34:29.274720 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 44, length 64

08:34:29.302441 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 44, length 64

08:34:30.278205 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 45, length 64

 

 

root@kali:/home/kali# tcpdump -i any -nn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

08:35:10.515246 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 85, length 64

08:35:10.544615 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 85, length 64

08:35:11.531919 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 86, length 64

08:35:11.560266 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 86, length 64

 

 


 

Saving tcpdump Captures to a File

You do not want only capture the packets, but you want also save this capture into a file. To do this, you can use tcpdump -w option with the file name.

 

Let’s open another terminal and ping www.google.com from there and write these captures to file mycaptures.pcap.

 

kali@kali:~$ ping www.google.com

PING www.google.com (142.250.184.132) 56(84) bytes of data.

64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=1 ttl=128 time=28.9 ms

64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=2 ttl=128 time=28.5 ms

64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=3 ttl=128 time=28.1 ms

 

 

root@kali:/home/kali# tcpdump -w my_mycaptures.pcap

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

 

 

When we check files with Linux ls command, we can see the created file as “mycaptures.pcap”.

 

root@kali:/home/kali# ls -l

total 48

-rw-r--r-- 1 kali    kali       7 Jun 11  2021 abc

-rw-r--r-- 1 kali    kali       0 Jun 11  2021 abc1

-rw-r--r-- 1 kali    kali       0 Jun 11  2021 abc2

-rw-r--r-- 1 tcpdump tcpdump   24 Sep 27 08:18 mycaptures.pcap

drwxr-xr-x 2 kali    kali    4096 Aug 11 04:40 Desktop

drwxr-xr-x 2 kali    kali    4096 Jan 27  2020 Documents

 


 

Reading tcpdump Captures from a File

Like writing captures to a file, we can also read captures from a file. To do this, we will use tcpdump command with -r option. Let’s read the captures that we have saved in the previous Linux tcpdump example.

 

root@kali:/home/kali# tcpdump -r mycaptures.pcap

reading from file mycaptures.pcap, link-type EN10MB (Ethernet)

08:28:01.329663 IP 192.168.239.130 > sof02s43-in-f4.1e100.net: ICMP echo request, id 1381, seq 4, length 64

08:28:01.357794 IP sof02s43-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1381, seq 4, length 64

08:28:02.334342 IP 192.168.239.130 > sof02s43-in-f4.1e100.net: ICMP echo request, id 1381, seq 5, length 64

08:28:02.363844 IP sof02s43-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1381, seq 5, length 64

 

As you can see, the pings’s ICMP packets are captured.

 


 

Capturing Specific Packets with tcpdump

Normally, we capture all the packets coming from our Linux system. To make this capture more specific, we have learned how to capture the packets which are coming or going through an interface. How about specific packets? We can specify the packets that we are looking for and we can capture only those packets.

 

For example, you are troubleshooting a BGP issue and you would like to check TCP connection. You can capture only tcp packets with writing tcp after tcpdump command.

 

root@kali:/home/kali# tcpdump tcp

 

Or, for the above example, we can capture only ICMP packets with the below command.

 

root@kali:/home/kali# tcpdump icmp

 


 

Capturing Specific Port Traffic with tcpdump

We can also capture the packets for a specific port. To do this, we will use port keyword and the number of that port after port keyword. For example, let’s capture telnet packets with port 23.

 

In another terminal, I start a telnet connection:

 

kali@kali:~$ telnet 100.0.0.1

Trying 100.0.0.1...

 

And in my terminal, I captured only telnet packets with port 23. As you know, telnet use port 23 by default.

 

root@kali:/home/kali# tcpdump port 23

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

08:51:02.814320 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435067115 ecr 0,nop,wscale 7], length 0

08:51:03.846845 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435068148 ecr 0,nop,wscale 7], length 0

08:51:05.865229 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435070166 ecr 0,nop,wscale 7], length 0

 


 

Capturing Source & Destination Specific Traffic with tcpdump

We can capture the packets coming from a specific source or destination. To do this, we use src and dst keywords with the ip address of that specific source or destination. Or we can use the host name of it.

 

root@kali:/home/kali# tcpdump src 100.0.0.1

 

root@kali:/home/kali# tcpdump src www.google.com

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

09:09:07.140390 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 1, length 64

09:09:08.143053 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 2, length 64

09:09:09.146453 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 3, length 64

09:09:10.149135 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 4, length 64

 

root@kali:/home/kali# tcpdump dst 205.0.0.5

 

root@kali:/home/kali# tcpdump dst www.google.com

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

09:10:56.394844 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 1, length 64

09:10:57.399135 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 2, length 64

09:10:58.403576 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 3, length 64

 


 

HEX & ASCII Format Captures

If you would like to capture HEX format of the packets, you can use tcpdump -X option.

 

root@kali:/home/kali# tcpdump -X

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

08:56:50.703825 IP 192.168.239.130 > sof02s48-in-f4.1e100.net: ICMP echo request, id 1564, seq 102, length 64

        0x0000:  4500 0054 0676 4000 4001 c5aa c0a8 ef82  E..T.v@.@.......

        0x0010:  acd9 1184 0800 aa97 061c 0066 12f3 3263  ...........f..2c

        0x0020:  0000 0000 38bd 0a00 0000 0000 1011 1213  ....8...........

        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#

        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123

        0x0050:  3435 3637                                4567

08:56:50.705095 IP 192.168.239.130.59696 > 192.168.239.2.domain: 34296+ PTR? 132.17.217.172.in-addr.arpa. (45)

        0x0000:  4500 0049 5d03 4000 4011 7dca c0a8 ef82  E..I].@.@.}.....

        0x0010:  c0a8 ef02 e930 0035 0035 601d 85f8 0100  .....0.5.5`.....

        0x0020:  0001 0000 0000 0000 0331 3332 0231 3703  .........132.17.

        0x0030:  3231 3703 3137 3207 696e 2d61 6464 7204  217.172.in-addr.

        0x0040:  6172 7061 0000 0c00 01                   arpa.....

 

Or, if you would like to capture ASCII format of the packets, you can use tcpdump -A option.

 

root@kali:/home/kali# tcpdump -A

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

08:57:20.035877 IP 192.168.239.1.netbios-ns > 192.168.239.255.netbios-ns: UDP, length 50

E..N......8..............:P".o.......... EMEBFAFEEPFACNDHDDECEEDGEGFFFDBM.. ..

08:57:20.037323 IP 192.168.239.130.50156 > 192.168.239.2.domain: 5843+ PTR? 255.239.168.192.in-addr.arpa. (46)

E..Jk.@.@.n............5.6`..............255.239.168.192.in-addr.arpa.....

08:57:20.057351 IP 192.168.239.2.domain > 192.168.239.130.50156: 5843 NXDomain 0/1/0 (81)

E..m.................5...Y...............255.239.168.192.in-addr.arpa..........................p.... . :...Q.

08:57:20.057831 IP 192.168.239.130.57409 > 192.168.239.2.domain: 4611+ PTR? 1.239.168.192.in-addr.arpa. (44)

E..Hk.@.@.n..........A.5.4`..............1.239.168.192.in-addr.arpa.....

08:57:20.077908 IP 192.168.239.2.domain > 192.168.239.130.57409: 4611 NXDomain 0/1/0 (79)

E..k.................5.A.W?T.............1.239.168.192.in-addr.arpa..........................p.... .   :...Q.

 


 

Output format of tcpdump

We have talked about various Linux tcpdump examples. Now, let’s lastly check the tcpdump output and learn the fields on this output.

 

Below, there is an example of a tcpdump capture line.

 

09:36:40.198968 IP 192.168.239.130.45808 > 100.0.0.1.23: Flags [S], seq 653551063, win 64240, options [mss 1460, sackOK, TS val 437804500 ecr 0, nop, wscale 7], length 0

 

The first field is the timestamp field. It gives the local time of the capture.

 

The second field shows the network layer protocol. For our example, it is IPv4. So, IP is used. If it was IPv6, then this field would be IP6.

 

The third field is the packet source address and the source port.

 

The fift field is the the packet destination address and the destination port. Here, we have captured a telnet packet. So, the destination port is telnet default port 23.

 

After that there is a TCP Flags part. There are different values for this part. These are given below:

  • [.] – ACK (Acknowledgment)
  • [S] – SYN (Start Connection)
  • [P] – PSH (Push Data)
  • [F] – FIN (Finish Connection)
  • [R] – RST (Reset Connection)
  • [S.] – SYN-ACK (SynAcK Packet)

 

 

Then, there is a sequence number part which makes packet follow easier.

 

A window part is showed in the packet line. Window part shows available bytes in the receiving buffer.

 

The other part is TCP options part. Here, TS val shows TCP timestamp and ecr shows echo reply.

 

And the last field is the packet length. It is displayed as a byte value.

 

Lesson tags: tcpdump, linux troubleshooting, troubleshooting
Back to: Kali Linux Course

Leave a Reply

Your email address will not be published. Required fields are marked *