How to install TCPdump and use it
What is TCPdump
This flexible and powerful command-line tool helps in network troubleshooting. Tcpdump is a command-line utility that enables the collection and analysis of network traffic traversing the system. It is frequently used for network troubleshooting and as a security tool. TCPdump is a robust and flexible tool with numerous settings and filters that can be used in several situations. Since it is a command-line tool, it is suitable for running on distant servers or devices that lack a graphical user interface to collect data for subsequent analysis. It can be run in the background or scheduled with cron. This essay will discuss some of TCPdump’s most prevalent features.
Read our latest article about Network Protocols and learn more about TCP/UDP protocols.
Capturing packets with TCPdump
TCPdump requires elevated rights to collect packets for troubleshooting or analysis, so most commands in the following examples are started with sudo.
Use the following command to get started for a list of interfaces that can be captured:
tcpdump --list-interfaces
or
sudo tcpdump -D
Capture all packets in any interface by running this command:
sudo tcpdump --interface any
Capture Packets from Specific Interface
When we execute TCPdump, it grabs from all interfaces till we interrupt. -i captures from the specified interface.
tcpdump -i eth0
Capture Only N Number of Packets
Until the cancel button is pressed, the TCPdump program will record all packets for the selected interface. However, the -c option allows you to capture a predetermined amount of packets. Only six packets will be captured by the example below.
tcpdump -c 5 -i eth0
Print Captured Packets in ASCII
The command TCPdump with the option -A below displays the package in ASCII format. It is a format for character encoding schemes.
tcpdump -A -i eth0
Display Available Interfaces
To display the number of available interfaces on the system, execute the program below with the -D option.
tcpdump -D
Display Captured Packets in HEX and ASCII using TCPdump
Some users may wish to examine the packets in hexadecimal values. TCPdump allows packets to be printed in both ASCII and HEX formats.
tcpdump -XX -i eth0
Capture and Save Packets in a File
TCPdump can capture and save the file in.pcap format; to do so, simply perform the command with the -w option.
tcpdump -w 0001.pcap -i eth0
Read Captured Packets File
To read and analyze the recorded packet 0001.pcap file can use the command given below with the -r option.
tcpdump -r 0001.pcap
Capture IP Address Packets
Execute the command below with the -n option to collect packets for a particular interface.
tcpdump -n -i eth0
Capture only TCP Packets
To collect packets based on TCP port, execute the command below using the TCP argument.
Capture Packet from Specific Port
Suppose you wish to capture packets for specific port 80. To do so, use the below command while specifying port 80.
tcpdump -i eth0 port 80
Capture Packets from source IP
To collect packets from a source IP address, for example, 192.168.1.4, use the following command.
tcpdump -i eth0 src 192.168.1.4
Capture Packets from destination IP
To capture packets from a destination IP address, for example, 5.67.214.47, execute the following command.
tcpdump -i eth0 dst 5.67.214.47
Capture packets for the particular destination IP and Port
The packets have IP and port numbers. TCPdump filters source or destination IP and port. The following script captures eth0 traffic with IP 5.67.214.47and port 22.
tcpdump -w xpackets.pcap -i eth0 dst 5.67.214.47 and port 22
Capture TCP communication packets between two hosts
If two processes on two distinct machines communicate using the TCP protocol, we can capture the packets with TCPdump, as illustrated below.
tcpdump -w comm.pcap -i eth0 dst 5.67.214.47 and port 22
TCPdump Filter Packets
You can filter packets using the “and”, “or”, and “not” operators in the TCPdump command.
tcpdump -i eth0 not arp and not rarp
Conclusion
This article may assist you in learning more about the TCPdump command and capturing and analyzing packets in the future. There are a variety of alternatives available; you can select the ones that best suit your needs. Please let us know if you found this post informative in the comments section.
Monitor your Linux Server for free today using Xitoring!