Tcpdump Command in Linux

tcpdump is a command-line utility that you can manage to capture and examine network traffic going to and from your system. It is the most regularly used tool amongst network administrators for troubleshooting network issues and security testing.

Notwithstanding its name, with tcpdump, you can also catch non-TCP traffic such as UDP, ARP, or ICMP. The captured packets can be written to a file or standard output. One of the most critical features of the tcpdump command is its capacity to use filters and charge only the data you wish to analyze.

In this article, you will learn the basics of how to use the tcpdump command in Linux.

• How to Rename Files and Directories in Linux
• Fdisk Command in Linux (Create Disk Partitions)
• How to Check Python Version

Installing tcpdump

tcpdump is installed by default on most Linux distributions and macOS. To check if the tcpdump command is available on your system type:

$ tcpdump --version

The output should look something like this:

Output:

tcpdump version 4.9.2

libpcap version 1.8.1

OpenSSL 1.1.1b 26 Feb 2019

If tcpdump is not present on your system, the command above will print “tcpdump: command not found.” You can easily install tcpdump using the package manager of your distro.

Installing tcpdump on Ubuntu and Debian

$ sudo apt update && sudo apt install tcpdump

Installing tcpdump on CentOS and Fedora

$ sudo yum install tcpdump

Installing tcpdump on Arch Linux

$ sudo pacman -S tcpdump

Capturing Packets with tcpdump

The general syntax for the tcpdump command is as follows:

tcpdump [options] [expression]

• The command options allow you to control the behavior of the command.
• The filter expression defines which packets will be captured.

Only root or user with sudo privileges can run tcpdump. If you try to run the command as an unprivileged user, you’ll get an error saying: “You don’t have permission to capture on that device.”

The most simple use case is to invoke tcpdump without any options and filters:

$ sudo tcpdump

Output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

15:47:24.248737 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

15:47:24.248785 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 108:144, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 36

15:47:24.248828 IP linuxize-host.ssh > desktop-machine.39196: Flags [P.], seq 144:252, ack 1, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

... Long output suppressed

23116 packets captured

23300 packets received by filter

184 packets dropped by kernel

tcpdump will continue to capture packets and write to the standard output until it receives an interrupt signal. Use the Ctrl+C key combination to send an interrupt signal and stop the command.

For more verbose output, pass the -v option, or -vv for even more verbose output:

$ sudo tcpdump -vv

You can specify the number of packets to be captured using the -c option. For example, to capture only ten packets, you would type:

$ sudo tcpdump -c 10

After capturing the packets, tcpdump will stop.

When no interface is specified, tcpdump uses the first interface it finds and dumps all packets going through that interface.

Use the -D option to print a list of all available network interfaces that tcpdump can collect packets from:

$ sudo tcpdump -D

For each interface, the command prints the interface name, a short description, and an associated index (number):

 Output:

1.ens3 [Up, Running]

2.any (Pseudo-device that captures on all interfaces) [Up, Running]

3.lo [Up, Running, Loopback]

The output above shows that ens3 is the first interface found by tcpdump and used when no interface is provided to the command. The second interface any is a special device that allows you to capture all active interfaces.

To specify the interface you want to capture traffic, invoke the command with the -i option followed by the interface name or the associated index. For example, to capture all packets from all interfaces, you would specify any interface:

$ sudo tcpdump -i any

By default, tcpdump performs reverse DNS resolution on IP addresses and translates port numbers into names. Use the -n option to disable the translation:

$ sudo tcpdump -n

Skipping the DNS lookup avoids generating DNS traffic and makes the output more readable. It is recommended to use this option whenever you invoke tcpdump.

Instead of displaying the output on the screen, you can redirect it to a file using the redirection operators > and >>:

 $ sudo tcpdump -n -i any > file.out

You can also watch the data while saving it to a file using the tee command:

$ sudo tcpdump -n -l | tee file.out

The -l option in the command above tells tcpdump to make the output line buffered. When this option is not used, the output will not be written on the screen when a new line is generated.

Understanding the tcpdump Output

tcpdump outputs information for each captured packet on a new line. Each line includes a timestamp and information about that packet, depending on the protocol.

The typical format of a TCP protocol line is as follows:

[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]

Let’s go field by field and explain the following line:

15:47:24.248737 IP 192.168.1.185.22 > 192.168.1.150.37445: Flags [P.], seq 201747193:201747301, ack 1226568763, win 402, options [nop,nop,TS val 1051794587 ecr 2679218230], length 108

• 15:47:24.248737 – The timestamp of the captured packet is local and uses the following format: hours:minutes: seconds. Frac, where frac is fractions of a second since midnight.
• IP – The packet protocol. In this case, IP means the Internet protocol version 4 (IPv4).
• 192.168.1.185.22 – The source IP address and port, separated by a dot (.).
• 192.168.1.150.37445 – The destination IP address and port, separated by a dot (.).
• Flags [P.] – TCP Flags field. In this example, [P.] means Push Acknowledgment packet, which acknowledges the previous packet and sends data. Other typical flag field values are as follows:

• • [.] – ACK (Acknowledgment)
  • [S] – SYN (Start Connection)
  • [P] – PSH (Push Data)
  • [F] – FIN (Finish Connection)
  • [R] – RST (Reset Connection)
  • [S.] – SYN-ACK (SynAcK Packet)
• seq 201747193:201747301 – The sequence number is in the first: last notation. It shows the number of data contained in the packet. Except for the first packet in the data stream where these numbers are absolute, all subsequent packets use as relative byte positions. In this example, the number is 201747193:201747301, meaning that this packet contains bytes 201747193 to 201747301 of the data stream. Use the -S option to print absolute sequence numbers.
• Ack 1226568763 The acknowledgment number is the sequence number of the next data expected by the other end of this connection.
• Win 402 – The window number is the number of available bytes in the receiving buffer.
• options [nop,nop,TS val 1051794587 ecr 2679218230] – TCP options. or “no operation,” is padding used to make the TCP header multiple of 4 bytes. TS val is a TCP timestamp, and ecr stands for an echo reply. Visit the IANA documentation for more information about TCP options.
• length 108 – The length of payload data

tcpdump Filters

When tcpdump is invoked with no filters, it captures all traffic and produces a tremendous output, making it very difficult to find and analyze the packets of interest.

Filters are one of the most powerful features of the tcpdump command. They since they allow you to capture only those packets matching the expression. For example, when troubleshooting issues related to a web server, you can use filters to obtain only the HTTP traffic.

tcpdump uses the Berkeley Packet Filter (BPF) syntax to filter the captured packets using various machining parameters such as protocols, source and destination IP addresses and ports, etc.

In this article, we’ll take a look at some of the most common filters. For a list of all available filters, check the pcap-filter manpage.

Filtering by Protocol

To restrict the capture to a particular protocol, specify the protocol as a filter. For example, to capture only the UDP traffic, you would run:

sudo tcpdump -n udp

Another way to define the protocol is to use the proto qualifier, followed by the protocol number. The following command will filter the protocol number 17 and produce the same result as the one above:

sudo tcpdump -n proto 17

For more information about the numbers, check the IP protocol numbers list.

Filtering by Host

To capture only packets related to a specific host, use the host qualifier:

$ sudo tcpdump -n host 192.168.1.185

The host can be either an IP address or a name.

You can also filter the output to a given IP range using the net qualifier. For example, to dump only packets related to 10.10.0.0/16, you would use:

$ sudo tcpdump -n net 10.10

Filtering by Port

To limit capture only to packets from or to a specific port, use the port qualifier. The command below captures packets related to the SSH (port 22) service by using this command:

$ sudo tcpdump -n port 23

The port range qualifier allows you to capture traffic in a range of ports:

sudo tcpdump -n port range 110-150

Filtering by Source and Destination

You can also filter packets based on the origin or target port or host using src, dst, src and dst, and src or dst qualifiers.

The following command captures coming packets from a host with IP 192.168.1.185:

sudo tcpdump -n src host 192.168.1.185

To find the traffic coming from any source to port 80, you would use:

sudo tcpdump -n dst port 80

Complex Filters

Filters can be mixed using the and (&&), or (||), and not (!) operators.

For example, to catch all HTTP traffic coming from a source IP address 192.168.1.185, you would use this command:

sudo tcpdump -n src 192.168.1.185 and tcp port 80

You can also use parentheses to group and create more complex filters:

$ sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'

To avoid parsing errors when using special characters, enclose the filters inside single quotes.

Here is another example command to capture all traffic except SSH from a source IP address 192.168.1.185:

$ sudo tcpdump -n src 192.168.1.185 and not dst port 22

Packet Inspection

By default tcpdump, catches only the packet headers. However, sometimes you may need to examine the content of the packets.

tcpdump enables you to print the content of the packets in ASCII and HEX.

The -A option tells tcpdump to print each packet in ASCII and -x in HEX:

$ sudo tcpdump -n -A

To show the packet’s contents in both HEX and ASCII, use the -X option:

$ sudo tcpdump -n -X

Reading and Writing Captures to a File

Another useful feature of tcpdump is to write the packets to a file.

This is handy when you are taking a large number of packages or carrying packets for later analysis.

To start writing to a file, use the -w option followed by the output capture file:

$ sudo tcpdump -n -w data.pcap

This command up will save the capture to a file named data. pcap. You can name the file as you want, but it is a standard protocol to use the .pcap extension (packet capture).

When the -w option is used, the output is not represented on the screen. tcpdump writes raw packets and generates a binary file that cannot be read with a regular text editor.

To inspect the contents of the file, request tcpdump with the -r option:

$ sudo tcpdump -r data.pcap

If you need to run tcpdump in the background, add the ampersand symbol (&) at the command end.

The capture file can also be examined with other packet analyzer tools such as Wireshark.

When obtaining packets over a long period, you can allow file rotation. tcpdump enables you to generate new files and rotate the dump file on a defined time interval or fixed size. The following command will create up to ten 200MB files, named file.pcap0, file.pcap1, and so on: before overwriting older files.

$ sudo tcpdump -n -W 10 -C 200 -w /tmp/file.pcap

Once ten files are created, the older files will be overwritten.

Please take care that you should only run tcpdump only during troubleshooting issues.

If you need to start tcpdump at a particular time, you can use a cronjob. tcpdump does not have an alternative to exit after a given time. You can use the timeout command to stop tcpdump after any time. For example, to exit after 5 minutes, you would use:

$ sudo timeout 300 tcpdump -n -w data.pcap

Conclusion: 

To analyze and troubleshoot network related issues, the tcpdump command-line tool is used.

This article presented you with the basics of tcpdump usage and syntax. If you have any queries related to tcpdump, feel free to contact us.