How to install and use TCPdump on CentOS 7 / 8
TCPdump is a network analyzer utility that can monitor and log, TCP/IP traffic passing through the network and the device from which it is executed. TCPdump is open-source and it’s freely available under the BSD license. it is a command-line interface application and it can provide information about packets in several formats depending on the arguments used.
Read our latest article about Network Protocols and learn more about TCP/UDP protocols.
How to Install TCPdump on CentOS 7 and 8
if you are using an RHEL operating system there is a good chance that TCPdump is already installed on your system, so first, run the following command (or any TCPdump command) to check if it is already installed:
tcpdump -Dif you get the following output it means that you don’t have TCPdump installed:
-bash: tcpdump: command not foundYou can install TCPdump with the command below:
yum install tcpdumpverify the installation by checking the version:
tcpdump --versionShow Interfaces
Before you can monitor and capture anything you need to know how many interfaces you have and what are their names so that you can use them to filter and get the desired results, you can get a list of your systems interfaces with the following command:
tcpdump -DYou should see something like below which lists your interfaces, their status, and a brief explanation of what that interface doing:
1.eth0 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.bluetooth-monitor (Bluetooth Linux Monitor) [none]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.usbmon0 (Raw USB traffic, all USB buses) [none]
8.usbmon1 (Raw USB traffic, bus number 1)
Capture a specific interface
Using the “-i” argument you can select a specific interface to monitor and capture, for example, start capturing one of your active interfaces with the command below. (we are going to use “eth0” which is my main interface you should replace it with your interface name)
tcpdump -i eth0It will capture all packets that hit your interface and print them on your screen, you can stop the process with “Ctrl + c”.
You can capture the interface and write them directly to a file with:
tcpdump -i eth0 > test.txtAdd a timeout to capture 20 seconds of your interfaces transactions and write them to a file:
timeout 20s tcpdump -i eth0 > test.txtCapture a specific number of packets
This argument will determine the number of packets that you want to capture, for example, you can get a record of 200 packets on your “eth0” interface with the following command:
tcpdump -i eth0 -c 200Capture traffic by IP
One of the most commons filters that you can use with TCPdump is “host”, using this filter you can see packets that are going to or from a specific IP.
for example with this command you can see and capture all transactions of your loopback interface (127.0.0.1):
tcpdump host 127.0.0.1of course, you can combine filters and arguments and get accurate results:
tcpdump -i eth0 -c 200 host 8.8.8.8Capture packets by source and destination
Using this filter you can see traffic in one direction, with “src” and “dst”, check the following example below:
tcpdump src 8.8.8.8tcpdump -i eth0 -c 200 dst 8.8.8.8 > test.txtFilter by Network
To capture packets going to or from a particular network or subnet use the “net” option:
tcpdump net 10.0.10.0/24tcpdump -i eth0 net 10.0.10.0/24Capture traffic of a specific port
Use “port” filter to capture traffic on a specific port of your device, this way you can analyze packets of a service that use a specific port of your system:
tcpdump port 80combine with “src” and “dst” filter:
tcpdump src port 80Show Traffic of a specific protocol
You may want to look for one particular kind of traffic, you can use “TCP”, “UDP”, or “ICMP” and other options:
tcpdump icmptcpdump -i eth0 tcpPrint captured packets in ASCII
If you want to see the results in ASCII, you can use “-A” argument like the following example:
tcpdump -i eth0 -ACapture and save packets in a readable file
TCPdump has the option to save the results of a capture process to a file and then read them, start capture and write them in file with:
tcpdump -i eth0 -w test.txtOpen the file and read with TCPdump using:
tcpdump -r test.txtUse Xitoring monitoring solutions on your Linux Server today!
Did you know that you can monitor your servers using a variety of server integrations such as Apache Monitoring, Nginx Monitoring, and MySQL Monitoring on Xitoring?
FAQ
How can one analyze the data captured by TCPdump to identify potential security threats or network issues?
To analyze data captured by TCPdump, users can employ tools like Wireshark, which provides a graphical interface for examining packet data in depth. Analyzing involves looking for unusual patterns, such as repeated attempts to connect to certain ports (potential scanning or brute force attacks), or large amounts of traffic to or from an unknown IP (possible data exfiltration or DDoS attacks).
Are there any best practices or tips for optimizing TCPdump's performance, especially on high-traffic networks?
For high-traffic networks, using filters to limit captured traffic, reducing the amount of data TCPdump needs to process, is crucial. Capturing only headers instead of full packets, and writing output directly to a file can also reduce overhead. Running TCPdump with nice command adjustments can prioritize other critical system processes.
How does TCPdump compare to other network monitoring tools available for CentOS in terms of features, performance, and ease of use?
TCPdump is a powerful, command-line network analysis tool that excels in capturing and filtering network packets. Compared to graphical tools like Wireshark, it requires less system resources, making it ideal for running on servers. However, for users seeking more intuitive analysis and visualization capabilities, Wireshark might be preferable. Other specialized tools, such as ntopng or Nagios, offer more extensive network monitoring and visualization features but might require additional configuration and resources.