Tcpdump is an important tool used in Linux. We use this tool with linux tcpdump command. In this lesson, we will focus on this key Linux command and learn options used with this command. First of all let’s start with what is tcpdump and continue with different Linux tcpdump examples.
Tcpdump is a packet sniffing and analyzing tool used in Linux. This tool especially very important for troubleshooting activities for Linux system administrators. With tcpdump, we can sniff packets going through our Linux system, we can analyze them and with these analyze, we can decide the missing points. This is one of the most used troubleshooting methods.
We use this tool by using tcpdump command in Linux. When we use this command without any options, it sniffs all the packets going or coming through the system continuously. But we can use Linux tcpdump command with different options. Below, we will talk about tcpdump options and different Linux tcpdump examples.
You Can Also Check Linux Commands Cheat Sheet!
Tcpdump can be installed on some Linux systems and not on others. In Kali Linux, it is already installed. But to learn about it, you can use also a command. This command is “which tcpdump”. When you use “which tcpdump command”, it will return a path which whows the location of tcpdump. This means that, it is insatalled on your system. If it does not give any path, then you should install tcpdump to use it.
Installing tcpdump on Linux is a simple process. We can do this with a single command on different Linux distributions. To install tcpdump on RedHat based Linux systems, you can use
yum install tcpdump
To install tcpdump on Ubuntu/Debian based Linux systems, you can use
apt install tcpdump
Tcpdump is a capturing tool that we will use on our Linux system a lot. So, here, we will give different Linux tcpdump examples to learn this important command better.
First of all, let’s start with -D option. We use tcpdump -D command to list the available interfaces that we can do packet sniffing on our system.
To capture packets from a specific interface, we can use tcpdump -i option. For example, if you want to capture only the packets going through interface eth0, you can use below command.
If we do not limit tcpdump, it continues to capture packets. But we can limit the number of captured packets. To do this , we will use tcpdump -c option For example, let’s limit packet capture with 5 packets.
In troubleshooting, we use tcpdump for Linux too much. During this process, we need to see ip addresses and ports instead of names. So, we can disable name resolution. To disable name resolution, we use -n option and to disable port resolution, we use -nn option of tcpdump.
You do not want only capture the packets, but you want also save this capture into a file. To do this, you can use tcpdump -w option with the file name.
Let’s open another terminal and ping www.google.com from there and write these captures to file mycaptures.pcap.
When we check files with Linux ls command, we can see the created file as “mycaptures.pcap”.
Like writing captures to a file, we can also read captures from a file. To do this, we will use tcpdump command with -r option. Let’s read the captures that we have saved in the previous Linux tcpdump example.
As you can see, the pings’s ICMP packets are captured.
Normally, we capture all the packets coming from our Linux system. To make this capture more specific, we have learned how to capture the packets which are coming or going through an interface. How about specific packets? We can specify the packets that we are looking for and we can capture only those packets.
For example, you are troubleshooting a BGP issue and you would like to check TCP connection. You can capture only tcp packets with writing tcp after tcpdump command.
Or, for the above example, we can capture only ICMP packets with the below command.
We can also capture the packets for a specific port. To do this, we will use port keyword and the number of that port after port keyword. For example, let’s capture telnet packets with port 23.
In another terminal, I start a telnet connection:
And in my terminal, I captured only telnet packets with port 23. As you know, telnet use port 23 by default.
We can capture the packets coming from a specific source or destination. To do this, we use src and dst keywords with the ip address of that specific source or destination. Or we can use the host name of it.
If you would like to capture HEX format of the packets, you can use tcpdump -X option.
Or, if you would like to capture ASCII format of the packets, you can use tcpdump -A option.
We have talked about various Linux tcpdump examples. Now, let’s lastly check the tcpdump output and learn the fields on this output.
Below, there is an example of a tcpdump capture line.
09:36:40.198968 IP 192.168.239.130.45808 > 22.214.171.124.23: Flags [S], seq 653551063, win 64240, options [mss 1460, sackOK, TS val 437804500 ecr 0, nop, wscale 7], length 0
The first field is the timestamp field. It gives the local time of the capture.
The second field shows the network layer protocol. For our example, it is IPv4. So, IP is used. If it was IPv6, then this field would be IP6.
The third field is the packet source address and the source port.
The fift field is the the packet destination address and the destination port. Here, we have captured a telnet packet. So, the destination port is telnet default port 23.
After that there is a TCP Flags part. There are different values for this part. These are given below:
Then, there is a sequence number part which makes packet follow easier.
A window part is showed in the packet line. Window part shows available bytes in the receiving buffer.
The other part is TCP options part. Here, TS val shows TCP timestamp and ecr shows echo reply.
And the last field is the packet length. It is displayed as a byte value.