What is tcpdump?
tcpdump is a network capture and protocol analysis tool (www.tcpdump.org). This program is based on the libpcap interface, a library for user-level network datagram capture. tcpdump can also be used to capture non-TCP traffic, including UDP and ICMP. The tcpdump program is native to Linux and ships with many distributions of BSD, Linux, and Mac OS X however, there is a Windows version.
Where is tcpdump installed?
You can check whether tcpdump is installed on your system with the following command
rhian@LAPTOP-KNJ4ALF8:~$ which tcpdump
/usr/sbin/tcpdumpHow long does tcpdump run for?
tcpdump will keep capturing packets until it receives an interrupt signal. You can interrupt capturing by pressing Ctrl+C. To limit the number of packets captured and stop tcpdump, use the -c (for count) option.
When tcpdump finishes capturing packets, it will report counts of
- Packets “captured” (this is the number of packets that tcpdump has received and processed)
- Packets “received by filter” (This depends on the OS where you’re running tcpdump, and possibly on the way the OS was configured – if a filter was specified on the command line, then on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump)
- Packets “dropped by kernel” (this is the number of packets that were dropped, due to a lack of buffer space by the packet capture mechanism in the OS on which tcpdump is running. It depends if the OS reports that information to applications; if not, it will be reported as 0).
Writing a tcpdump output to file
When running tcpdump, the output file generated by the –w switch is not a text file and can only be read by tcpdump or another piece of software such as Wireshark which can parse the binary file format
tcpdump manual
https://www.tcpdump.org/manpages/tcpdump.1.html
Common Parameters
There are many more parameters but these are likely to be the most common ones.
| Parameter | Explanation |
| -# | A packet number is printed on every line. |
| -c | Exit the dump after the specified number of packets. |
| -D | Print all available interfaces for capture. Use ifconfig to check what interfaces you have |
| -e | Print also the link-layer header of a packet (e.g., to see the vlan tag). This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11. |
| -i –interface | Interface to dump from |
| -n | Do not resolve the addresses to names (e.g., IP reverse lookup). |
| -nn | Disable name resolution of both host names and port names |
| -v -vv -vvv | Verbose output in more and more detail |
| -w | Writes the output to a file which can be opened in Wireshark for example |
| -x | Use tcpdump -X to show output including ASCII and hex. This will making reading screen output easier |
| -r | Read a file containing a previous tcpdump capture |
Examples
Check the interfaces available
# sudo tcpdump -D
1.eth0
2.eth1
3.wifi0
4.any (Pseudo-device that captures on all interfaces)
5.lo [Loopback]Capture all packets in any interface
# sudo tcpdump --interface anyCapture packets for a specific host and output to a file
# sudo tcpdump -i any host <host_ip> -w /tmp/tcpdump.pcapFiltering Packets for just source and destination IP addresses, ports and protocols, etc. icmp example below
# sudo tcpdump -i any -c5 icmpFiltering packets by port numbers
sudo tcpdump -i any -c5 -nn port 80Filter based on source or destination ip or hostname
sudo tcpdump -i any -c5 -nn src 192.168.10.125
sudo tcpdump -i any -c5 -nn dst 192.168.20.125
sudo tcpdump -i any -c5 -nn src techlabadc001.techlab.com
sudo tcpdump -i any -c5 -nn dst techlabdns002.techlab.comComplex expressions
You can also combine filters by using the logical operators and and or to create more complex expressions. For example, to filter packets from source IP address 192.168.10.125 and proocol HTTP only, use this command.
sudo tcpdump -i any -c5 -nn src 192.168.10.125 and port 80You can create even more complex expressions by grouping filter with parentheses. Enclose the filter expression with quotation marks which prevents the shell from confusing them with shell expressions
sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.10.125 or src 10.168.10.20.125)"Occasionally, we need even more visibility and inspection of the contents of the packets is required to ensure that the message we’re sending contains what we need or that we received the expected response. To see the packet content, tcpdump provides two additional flags: -X to print content in hex, and ASCII or -A to print the content in ASCII.
sudo tcpdump -i any -c20 -nn -A port 80Reading and writing to a file
tcpdump has the ability to save the capture to a file so you can read and analyze the results later. This allows you to capture packets in batch mode overnight, for example, and verify the results at your leisure. It also helps when there are too many packets to analyze since real-time capture can occur too fast. If you have Wireshark installed, you can open the .pcap files in here for further analysis as well.
# Writing the file
sudo tcpdump -i any -c10 -nn -w dnsserver.pcap port 53
# And to read the file
tcpdump -nn -r dnsserver.pcapSummary
tcpdump and Wireshark are extremely useful tools to have to hand for troubleshooting network issues in more details. For example, we have used tcpdump to check whether outbound traffic from a host can ping a key management server or to check connectivity between a host and a syslog server over TCP port 514. Sometimes you may have to run these tools as an elevated account which may not be possible and there are certain situations where you may get an error when you run tcpdump like
tcpdump: socket for SIOCETHTOOL(ETHTOOL_GET_TS_INFO): Socket type not supported
This can sometime happen where you may be using Windows Subsystem for Linux (WSL) which allows you to install a complete Ubuntu terminal environment on your Windows machine. There is some functionality not enabled quite yet which will restrict certain things you want to do.
