Tcpdump command examples.

Introduction

This post is about tcpdump – packet analyzer that comes preinstalled with any modern Linux distribution. tcpdump allows us to capture packets and either display them in real time or save them to a file for later analysis. We will look at several examples of using tcpdump to learn which options it has and how we can use them.

Example 1. List available network interfaces.

To list all available interfaces for packet capturing use the following command:

orkhans@matrix:~$ tcpdump -D
1.wlp16s0 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.enp0s25 [Up]
5.bluetooth0 (Bluetooth adapter number 0)
6.nflog (Linux netfilter log (NFLOG) interface)
7.nfqueue (Linux netfilter queue (NFQUEUE) interface)
8.usbmon1 (USB bus number 1)
9.usbmon2 (USB bus number 2)
10.usbmon3 (USB bus number 3)
11.usbmon4 (USB bus number 4)
12.usbmon5 (USB bus number 5)
13.usbmon6 (USB bus number 6)
14.usbmon7 (USB bus number 7)

I will use the first network interface in the following examples.

Example 2. Capture packets on a specific interface.

To capture the traffic on a specific interface use -i (interface) option followed by either the name of interface (in my case wlp16s0 ) or the id of the interface (in my case 1) which can be obtained from tcpdump -D command’s output. This command will log all captured packets to your console until you press Ctrl-C.

orkhans@matrix:~$ sudo tcpdump -i 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp16s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:45:23.788896 IP matrix > 224.0.0.251: igmp v2 report 224.0.0.251
14:45:23.790875 IP matrix.39144 > _gateway.domain: 37011+ [1au] PTR? 251.0.0.224.in-addr.arpa. (53)
14:45:23.848448 IP _gateway.domain > matrix.39144: 37011 NXDomain 0/1/1 (110)
14:45:23.950399 IP fra15s12-in-f37.1e100.net.https > matrix.37964: Flags [P.], seq 2347372509:2347372560, ack 940637851, win 1050, options [nop,nop,TS val 1612872019 ecr 2903496779], length 51
14:45:23.996914 IP matrix.37964 > fra15s12-in-f37.1e100.net.https: Flags [.], ack 51, win 2011, options [nop,nop,TS val 2903510544 ecr 1612872019], length 0
14:45:25.026256 IP matrix.48372 > fra16s20-in-f14.1e100.net.443: UDP, length 23
14:45:25.027098 IP matrix.37388 > _gateway.domain: 7935+ [1au] PTR? 14.206.58.216.in-addr.arpa. (55)
14:45:25.078763 IP _gateway.domain > matrix.37388: 7935 2/0/1 PTR fra16s20-in-f14.1e100.net., PTR fra16s20-in-f14.1e100.net. (108)
14:45:25.179188 IP fra16s20-in-f14.1e100.net.443 > matrix.48372: UDP, length 20
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel

You can see information with a timestamp about each packet captured on the interface. There’s also information about the number of captured and dropped packets.

Example 3. Capture on all interfaces

To capture traffic on all interfaces you can use -i any like in the following example:

$ sudo tcpdump -i any

Example 4. Filter by IP address

To capture the packets based on a destination IP address (for example, 8.8.8.8), use the following command:

$ sudo tcpdump -i 1 dst 8.8.8.8

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
12:48:10.204785 IP ubu3 > google-public-dns-a.google.com: ICMP echo request, id 25347, seq 10, length 64
12:48:11.206743 IP ubu3 > google-public-dns-a.google.com: ICMP echo request, id 25347, seq 11, length 64
12:48:12.207748 IP ubu3 > google-public-dns-a.google.com: ICMP echo request, id 25347, seq 12, length 64

To capture the packets based on a source IP address (for example, 87.250.250.242), use the following command:

$ sudo tcpdump -i 1 src 87.250.250.242

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes 12:53:49.820232 IP ya.ru > ubu3: ICMP echo reply, id 25360, seq 39, length 64 12:53:50.821403 IP ya.ru > ubu3: ICMP echo reply, id 25360, seq 40, length 64 12:53:51.823114 IP ya.ru > ubu3: ICMP echo reply, id 25360, seq 41, length 64

You can also capture packets for a specific host, whether it is source or destination:

$ sudo tcpdump -i 1 host 8.8.8.8

[sudo] password for administrator:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
14:38:00.312801 IP ubu3 > google-public-dns-a.google.com: ICMP echo request, id 26015, seq 1, length 64
14:38:00.383652 IP google-public-dns-a.google.com > ubu3: ICMP echo reply, id 26015, seq 1, length 64
14:38:01.314731 IP ubu3 > google-public-dns-a.google.com: ICMP echo request, id 26015, seq 2, length 64

Example 5. Filter by port number

It is also possible to capture the packets based on a port number. Use option port  to do this:

$ sudo tcpdump -i 1 port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
12:59:11.558693 IP ubu3.50428 > sof02s21-in-f174.1e100.net.http: Flags [S], seq 674463064, win 29200, options [mss 1460,sackOK,TS val 4089767843 ecr 0,nop,wscale 7], length 0
12:59:11.625778 IP sof02s21-in-f174.1e100.net.http > ubu3.50428: Flags [S.], seq 3744209885, ack 674463065, win 60192, options [mss 1380,sackOK,TS val 2543774215 ecr 4089767843,nop,wscale 8], length 0
12:59:11.625809 IP ubu3.50428 > sof02s21-in-f174.1e100.net.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4089767910 ecr 2543774215], length 0
12:59:11.625944 IP ubu3.50428 > sof02s21-in-f174.1e100.net.http: Flags [P.], seq 1:542, ack 1, win 229, options [nop,nop,TS val 4089767910 ecr 2543774215], length 541: HTTP: GET / HTTP/1.1

Example 6. Filter by protocol

Another option is to capture traffic based on a protocol, like TCP, UDP, ICMP or ARP:

$ sudo tcpdump icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
15:00:26.200789 IP ubu3 > ya.ru: ICMP echo request, id 26194, seq 4, length 64
15:00:26.280660 IP ya.ru > ubu3: ICMP echo reply, id 26194, seq 4, length 64

Example 7. Create complex filters

The good thing about tcpdump is that it allows to create complex filters, using several options simultaneously. The following example captures the traffic to/from 8.8.8.8 which is also either http (port 80) or UDP:

$ sudo tcpdump "host 8.8.8.8 and (port 80 or udp)"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
15:08:14.942452 IP ubu3 > google-public-dns-a.google.com: ICMP echo request, id 26227, seq 1, length 64
15:08:15.012560 IP google-public-dns-a.google.com > ubu3: ICMP echo reply, id 26227, seq 1, length 64


Example 8. Log more detailed output.

You can use the following options to increase the verbosity level: -v (a bit more verbose) , -vv (even more verbose), -vvv (the most verbose)

You can see that the following example provides a lot more details about captured packets, like different IP header fields or even HTTP traffic details:

orkhans@matrix:~$ sudo tcpdump -i 1 -vvv 
tcpdump: listening on wlp16s0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:03:40.390260 IP (tos 0x0, ttl 50, id 57573, offset 0, flags [none], proto TCP (6), length 60)
    ya.ru.http > matrix.41674: Flags [S.], cksum 0x195b (correct), seq 1509061496, ack 1217936334, win 27960, options [mss 1400,sackOK,TS val 2358462887 ecr 328322524,nop,wscale 8], length 0
15:03:40.390290 IP (tos 0x0, ttl 64, id 15938, offset 0, flags [DF], proto TCP (6), length 52)
    matrix.41674 > ya.ru.http: Flags [.], cksum 0xb3d9 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 328322626 ecr 2358462887], length 0
15:03:40.390797 IP (tos 0x0, ttl 64, id 15939, offset 0, flags [DF], proto TCP (6), length 442)
    matrix.41674 > ya.ru.http: Flags [P.], cksum 0x9220 (correct), seq 1:391, ack 1, win 229, options [nop,nop,TS val 328322626 ecr 2358462887], length 390: HTTP, length: 390
  GET / HTTP/1.1
  Host: ya.ru
  Connection: keep-alive
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9,ru;q=0.8,az;q=0.7,tr;q=0.6
  
15:03:40.492509 IP (tos 0x0, ttl 50, id 57595, offset 0, flags [none], proto TCP (6), length 52)
    ya.ru.http > matrix.41674: Flags [.], cksum 0xb2ac (correct), seq 1, ack 391, win 114, options [nop,nop,TS val 2358462913 ecr 328322626], length 0

Example 9. Print the contents of the captured packets.

Use the following option -XX to make tcpdump print the contents of each captured packet:

orkhans@matrix:~$ sudo tcpdump -i 1 -XX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp16s0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:02:38.284940 IP matrix.35526 > 206.189.0.243.http: Flags [.], ack 455029320, win 238, options [nop,nop,TS val 3662206880 ecr 2181208436], length 0
  0x0000:  f81a 67a1 361d 0021 5c33 8bf9 0800 4500  ..g.6..!\3....E.
  0x0010:  0034 45d7 4000 4006 6326 c0a8 016e cebd  .4E.@.@.c&...n..
  0x0020:  00f3 8ac6 0050 9a25 4f98 1b1f 3248 8010  .....P.%O...2H..
  0x0030:  00ee 546c 0000 0101 080a da48 d7a0 8202  ..Tl.......H....
  0x0040:  9974                                     .t
17:02:38.286930 IP matrix.37191 > _gateway.domain: 962+ [1au] PTR? 243.0.189.206.in-addr.arpa. (55)
  0x0000:  f81a 67a1 361d 0021 5c33 8bf9 0800 4500  ..g.6..!\3....E.
  0x0010:  0053 54e1 4000 4011 61f9 c0a8 016e c0a8  .ST.@.@.a....n..
  0x0020:  0101 9147 0035 003f 01ba 03c2 0100 0001  ...G.5.?........
  0x0030:  0000 0000 0001 0332 3433 0130 0331 3839  .......243.0.189
  0x0040:  0332 3036 0769 6e2d 6164 6472 0461 7270  .206.in-addr.arp
  0x0050:  6100 000c 0001 0000 2902 0000 0000 0000  a.......).......
  0x0060:  00                                       .
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

Example 10. Capture traffic and write it to a file.

This example shows how to write captured packets to a file for a later analysis. We use -w option for this task.

The output is a special capture file , but not the plain text file. Run file command to get the information about the file.

orkhans@matrix:~$ sudo tcpdump -i 1 -w traffic.pcap
orkhans@matrix:~$ file traffic.pcap 
traffic.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)

Example 11. Read the previously captured file.

You can use the following command to display the content of a previously captured traffic:

orkhans@matrix:~$ sudo tcpdump -i 1 -r traffic.pcap
reading from file traffic.pcap, link-type EN10MB (Ethernet)
17:09:37.868924 IP matrix.36190 > lhr35s06-in-f7.1e100.net.https: Flags [.], ack 1334990028, win 254, options [nop,nop,TS val 383672046 ecr 4068976127], length 0
17:09:38.024942 IP lhr35s06-in-f7.1e100.net.https > matrix.36190: Flags [.], ack 1, win 252, options [nop,nop,TS val 4069023131 ecr 383487986], length 0
17:09:38.164331 IP matrix.39331 > 239.255.255.250.1900: UDP, length 171
17:09:39.164888 IP matrix.39331 > 239.255.255.250.1900: UDP, length 171

This file can also be opened and viewed by Wireshark program.

Add a Comment