Tcpdump is an important tool used in Linux. We use this tool with linux tcpdump command. In this lesson, we will focus on this key Linux command and learn options used with this command. First of all let’s start with what is tcpdump and continue with different Linux tcpdump examples.
What is tcpdump?
Tcpdump is a packet sniffing and analyzing tool used in Linux. This tool especially very important for troubleshooting activities for Linux system administrators. With tcpdump, we can sniff packets going through our Linux system, we can analyze them and with these analyze, we can decide the missing points. This is one of the most used troubleshooting methods.
We use this tool by using tcpdump command in Linux. When we use this command without any options, it sniffs all the packets going or coming through the system continuously. But we can use Linux tcpdump command with different options. Below, we will talk about tcpdump options and different Linux tcpdump examples.
You Can Also Check Linux Commands Cheat Sheet!
Is tcpdump installed on my Linux system?
Tcpdump can be installed on some Linux systems and not on others. In Kali Linux, it is already installed. But to learn about it, you can use also a command. This command is “which tcpdump”. When you use “which tcpdump command”, it will return a path which whows the location of tcpdump. This means that, it is insatalled on your system. If it does not give any path, then you should install tcpdump to use it.
root@kali:/home/kali# which tcpdump
/usr/sbin/tcpdump
How to install tcpdump no Linux?
Installing tcpdump on Linux is a simple process. We can do this with a single command on different Linux distributions. To install tcpdump on RedHat based Linux systems, you can use
yum install tcpdump
To install tcpdump on Ubuntu/Debian based Linux systems, you can use
apt install tcpdump
Linux tcpdump Examples
Tcpdump is a capturing tool that we will use on our Linux system a lot. So, here, we will give different Linux tcpdump examples to learn this important command better.
Listing Interfaces With tcpdump
First of all, let’s start with -D option. We use tcpdump -D command to list the available interfaces that we can do packet sniffing on our system.
root@kali:/home/kali# tcpdump -D
1.eth0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.nflog (Linux netfilter log (NFLOG) interface) [none]
5.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
6.bluetooth0 (Bluetooth adapter number 0) [none]
Capturing Packets From Specific Interface
To capture packets from a specific interface, we can use tcpdump -i option. For example, if you want to capture only the packets going through interface eth0, you can use below command.
root@kali:/home/kali# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Limiting Packet Count
If we do not limit tcpdump, it continues to capture packets. But we can limit the number of captured packets. To do this , we will use tcpdump -c option For example, let’s limit packet capture with 5 packets.
root@kali:/home/kali# tcpdump -i eth0 -c 5
Removing Name Resolution of tcpdump
In troubleshooting, we use tcpdump for Linux too much. During this process, we need to see ip addresses and ports instead of names. So, we can disable name resolution. To disable name resolution, we use -n option and to disable port resolution, we use -nn option of tcpdump.
root@kali:/home/kali# tcpdump -i any -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
08:34:29.274720 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 44, length 64
08:34:29.302441 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 44, length 64
08:34:30.278205 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 45, length 64
root@kali:/home/kali# tcpdump -i any -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
08:35:10.515246 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 85, length 64
08:35:10.544615 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 85, length 64
08:35:11.531919 IP 192.168.239.130 > 142.250.184.132: ICMP echo request, id 1391, seq 86, length 64
08:35:11.560266 IP 142.250.184.132 > 192.168.239.130: ICMP echo reply, id 1391, seq 86, length 64
Saving tcpdump Captures to a File
You do not want only capture the packets, but you want also save this capture into a file. To do this, you can use tcpdump -w option with the file name.
Let’s open another terminal and ping www.google.com from there and write these captures to file mycaptures.pcap.
kali@kali:~$ ping www.google.com
PING www.google.com (142.250.184.132) 56(84) bytes of data.
64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=1 ttl=128 time=28.9 ms
64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=2 ttl=128 time=28.5 ms
64 bytes from sof02s43-in-f4.1e100.net (142.250.184.132): icmp_seq=3 ttl=128 time=28.1 ms
root@kali:/home/kali# tcpdump -w my_mycaptures.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
When we check files with Linux ls command, we can see the created file as “mycaptures.pcap”.
root@kali:/home/kali# ls -l
total 48
-rw-r--r-- 1 kali kali 7 Jun 11 2021 abc
-rw-r--r-- 1 kali kali 0 Jun 11 2021 abc1
-rw-r--r-- 1 kali kali 0 Jun 11 2021 abc2
-rw-r--r-- 1 tcpdump tcpdump 24 Sep 27 08:18 mycaptures.pcap
drwxr-xr-x 2 kali kali 4096 Aug 11 04:40 Desktop
drwxr-xr-x 2 kali kali 4096 Jan 27 2020 Documents
Reading tcpdump Captures from a File
Like writing captures to a file, we can also read captures from a file. To do this, we will use tcpdump command with -r option. Let’s read the captures that we have saved in the previous Linux tcpdump example.
root@kali:/home/kali# tcpdump -r mycaptures.pcap
reading from file mycaptures.pcap, link-type EN10MB (Ethernet)
08:28:01.329663 IP 192.168.239.130 > sof02s43-in-f4.1e100.net: ICMP echo request, id 1381, seq 4, length 64
08:28:01.357794 IP sof02s43-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1381, seq 4, length 64
08:28:02.334342 IP 192.168.239.130 > sof02s43-in-f4.1e100.net: ICMP echo request, id 1381, seq 5, length 64
08:28:02.363844 IP sof02s43-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1381, seq 5, length 64
As you can see, the pings’s ICMP packets are captured.
Capturing Specific Packets with tcpdump
Normally, we capture all the packets coming from our Linux system. To make this capture more specific, we have learned how to capture the packets which are coming or going through an interface. How about specific packets? We can specify the packets that we are looking for and we can capture only those packets.
For example, you are troubleshooting a BGP issue and you would like to check TCP connection. You can capture only tcp packets with writing tcp after tcpdump command.
root@kali:/home/kali# tcpdump tcp
Or, for the above example, we can capture only ICMP packets with the below command.
root@kali:/home/kali# tcpdump icmp
Capturing Specific Port Traffic with tcpdump
We can also capture the packets for a specific port. To do this, we will use port keyword and the number of that port after port keyword. For example, let’s capture telnet packets with port 23.
In another terminal, I start a telnet connection:
kali@kali:~$ telnet 100.0.0.1
Trying 100.0.0.1...
And in my terminal, I captured only telnet packets with port 23. As you know, telnet use port 23 by default.
root@kali:/home/kali# tcpdump port 23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:51:02.814320 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435067115 ecr 0,nop,wscale 7], length 0
08:51:03.846845 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435068148 ecr 0,nop,wscale 7], length 0
08:51:05.865229 IP 192.168.239.130.45804 > lo0-100.BSTNMA-VFTTP-361.verizon-gni.net.telnet: Flags [S], seq 2450963781, win 64240, options [mss 1460,sackOK,TS val 435070166 ecr 0,nop,wscale 7], length 0
Capturing Source & Destination Specific Traffic with tcpdump
We can capture the packets coming from a specific source or destination. To do this, we use src and dst keywords with the ip address of that specific source or destination. Or we can use the host name of it.
root@kali:/home/kali# tcpdump src 100.0.0.1
root@kali:/home/kali# tcpdump src www.google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:09:07.140390 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 1, length 64
09:09:08.143053 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 2, length 64
09:09:09.146453 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 3, length 64
09:09:10.149135 IP ams15s33-in-f4.1e100.net > 192.168.239.130: ICMP echo reply, id 1685, seq 4, length 64
root@kali:/home/kali# tcpdump dst 205.0.0.5
root@kali:/home/kali# tcpdump dst www.google.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:10:56.394844 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 1, length 64
09:10:57.399135 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 2, length 64
09:10:58.403576 IP 192.168.239.130 > sof02s46-in-f4.1e100.net: ICMP echo request, id 1691, seq 3, length 64
HEX & ASCII Format Captures
If you would like to capture HEX format of the packets, you can use tcpdump -X option.
root@kali:/home/kali# tcpdump -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:56:50.703825 IP 192.168.239.130 > sof02s48-in-f4.1e100.net: ICMP echo request, id 1564, seq 102, length 64
0x0000: 4500 0054 0676 4000 4001 c5aa c0a8 ef82 E..T.v@.@.......
0x0010: acd9 1184 0800 aa97 061c 0066 12f3 3263 ...........f..2c
0x0020: 0000 0000 38bd 0a00 0000 0000 1011 1213 ....8...........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
08:56:50.705095 IP 192.168.239.130.59696 > 192.168.239.2.domain: 34296+ PTR? 132.17.217.172.in-addr.arpa. (45)
0x0000: 4500 0049 5d03 4000 4011 7dca c0a8 ef82 E..I].@.@.}.....
0x0010: c0a8 ef02 e930 0035 0035 601d 85f8 0100 .....0.5.5`.....
0x0020: 0001 0000 0000 0000 0331 3332 0231 3703 .........132.17.
0x0030: 3231 3703 3137 3207 696e 2d61 6464 7204 217.172.in-addr.
0x0040: 6172 7061 0000 0c00 01 arpa.....
Or, if you would like to capture ASCII format of the packets, you can use tcpdump -A option.
root@kali:/home/kali# tcpdump -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:20.035877 IP 192.168.239.1.netbios-ns > 192.168.239.255.netbios-ns: UDP, length 50
E..N......8..............:P".o.......... EMEBFAFEEPFACNDHDDECEEDGEGFFFDBM.. ..
08:57:20.037323 IP 192.168.239.130.50156 > 192.168.239.2.domain: 5843+ PTR? 255.239.168.192.in-addr.arpa. (46)
E..Jk.@.@.n............5.6`..............255.239.168.192.in-addr.arpa.....
08:57:20.057351 IP 192.168.239.2.domain > 192.168.239.130.50156: 5843 NXDomain 0/1/0 (81)
E..m.................5...Y...............255.239.168.192.in-addr.arpa..........................p.... . :...Q.
08:57:20.057831 IP 192.168.239.130.57409 > 192.168.239.2.domain: 4611+ PTR? 1.239.168.192.in-addr.arpa. (44)
E..Hk.@.@.n..........A.5.4`..............1.239.168.192.in-addr.arpa.....
08:57:20.077908 IP 192.168.239.2.domain > 192.168.239.130.57409: 4611 NXDomain 0/1/0 (79)
E..k.................5.A.W?T.............1.239.168.192.in-addr.arpa..........................p.... . :...Q.
Output format of tcpdump
We have talked about various Linux tcpdump examples. Now, let’s lastly check the tcpdump output and learn the fields on this output.
Below, there is an example of a tcpdump capture line.
09:36:40.198968 IP 192.168.239.130.45808 > 100.0.0.1.23: Flags [S], seq 653551063, win 64240, options [mss 1460, sackOK, TS val 437804500 ecr 0, nop, wscale 7], length 0
The first field is the timestamp field. It gives the local time of the capture.
The second field shows the network layer protocol. For our example, it is IPv4. So, IP is used. If it was IPv6, then this field would be IP6.
The third field is the packet source address and the source port.
The fift field is the the packet destination address and the destination port. Here, we have captured a telnet packet. So, the destination port is telnet default port 23.
After that there is a TCP Flags part. There are different values for this part. These are given below:
- [.] – ACK (Acknowledgment)
- [S] – SYN (Start Connection)
- [P] – PSH (Push Data)
- [F] – FIN (Finish Connection)
- [R] – RST (Reset Connection)
- [S.] – SYN-ACK (SynAcK Packet)
Then, there is a sequence number part which makes packet follow easier.
A window part is showed in the packet line. Window part shows available bytes in the receiving buffer.
The other part is TCP options part. Here, TS val shows TCP timestamp and ecr shows echo reply.
And the last field is the packet length. It is displayed as a byte value.
Leave a Reply