Are you trying to capture data packets to analyze traffic on your network? You may be a server administrator who has encountered a problem and wants to monitor the data transmitted over the network. In any situation, you will need the tcpdump Linux utility.
In this article, we are going to explain the tcpdump command in detail, along with some guides on how to install and use tcpdump on your Linux system.
What is the tcpdump command?
Tcpdump is a powerful network monitoring tool that enables a user to efficiently filter packets and traffic on a network. You can get detailed information about TCP / IP and the packets transmitted on your network. Tcpdump is a command line utility, which means you can run it on Linux servers with no display.
System administrators can also integrate the tcpdump utility with cron to automate various tasks like logging. Since tcpdump is very versatile due to its numerous functions, it serves both as a troubleshooting and as a security tool.
How to install tcpdump on Linux
While tcpdump is pre-installed on your system most of the time, some Linux distributions don't come with the package. Therefore, you may have to manually install the utility on your system.
You can check if tcpdump is installed on your system by running the Which Command.
If the output shows a directory path (/ usr / bin / tcpdump), then your system has installed the package. If not, you can easily do so using the standard package manager on your system.
To install tcpdump on Debian-based distributions like Ubuntu:
sudo apt-get install tcpdump
Installing tcpdump on CentOS is also easy.
sudo yum install tcpdump
About Arch-based distributions:
sudo pacman -S tcpdump
To install on Fedora:
sudo dnf tcpdump install
Note that the tcpdump package is required libcap So as a dependency, make sure you install it on your system as well.
Tcpdump examples for capturing network packets on Linux
Now that you've successfully installed tcpdump on your Linux machine, it's time to start monitoring some packages. Since tcpdump requires superuser privileges to perform most of its operations, you will need to add sudo at your orders.
1. List all network interfaces
Use the button to check which network interfaces are available for collection -D Flag with the tcpdump command.
Past the –list-interfaces The flag as an argument returns the same output.
The output is a list of all network interfaces present on your system.
Now that you've got the list of network interfaces, it's time to monitor your network by capturing packets on your system. Although you can specify which interface you want to use, you can use the any Argument commands tcpdump for capturing network packets over any active interface.
tcpdump – any interface
The system displays the following output.
2. The tcpdump output format
Starting from the third line, each line of the output identifies a specific packet that is captured by tcpdump. This is what the output of a single package looks like.
17: 00: 25.369138 wlp0s20f3 Out IP localsystem.40310> kul01s10-in-f46.1e100.net.https: Flags (P.), sequence 196: 568, ack 1, win 309, options (nop, nop, TS val 117964079 ) ecr 816509256), length 33
Note that not all packets are captured this way. However, this is the general format that most of them follow.
The output contains the following information.
Timestamp of the received packet
Name of the network protocol
IP address and port details
The sequence number of the data in the packet
The first field (17: 00: 25.369138) shows the timestamp when your system sent or received the packet. The recorded time is extracted from the local time of your system.
The second and third fields designate the interface used and the packet flow. In the above excerpt wlp0s20f3 is the name of the wireless interface and out is the packet flow.
The fourth field contains information about the network protocol name. In general, you will find two logs: IP and IP6, where IP means IPV4 and IP6 means IPV6.
The next field contains the IP addresses or the names of the source and target systems. The port number follows the IP addresses.
The sixth field in the output consists of TCP flags. There are several flags that are used in the output from tcpdump.
|SYN||S.||The connection has started|
|TO PRESS||P.||Data is being pushed|
|RST||R.||The connection is reset|
The output can also contain a combination of several TCP flags. For example, FLAG (f.) stands for a FIN-ACK package.
If you move around in the output section, the next field contains the sequence number (seq 196: 568) of the data in the package. The first packet always has a positive integer value, and subsequent packets use the relative sequence number to improve the flow of data.
The next field contains the confirmation number (ack 1) or simple confirmation number. The package recorded on the sender's computer has 1 as the confirmation number. At the end of the recipient, the confirmation number is the value of the next package.
The ninth field in the output contains the window size (Win 309), ie the number of bytes available in the receive buffer. There are several other fields that follow window size, including Maximum Segment Size (MSS).
The last field (Length 33) contains the length of the total package recorded by tcpdump.
3. Limit the number of packets captured
The first time you run the tcpdump command, you may find that the system continues to capture network packets until you pass an interrupt signal. You can override this default behavior by specifying the number of packets that you want to capture with the beforehand -c Flag.
tcpdump – any interface -c 10
The above command captures ten packets from each active network interface.
4. Filter packets based on fields
When you troubleshoot a problem, it doesn't get any easier to get a large block of text on your terminal. This is where the filter function in tcpdump comes into play. You can filter the packets based on various fields including host, protocol, port number and more.
Enter the following to capture only TCP packets:
tcpdump – any interface -c 5 tcp
If you want to filter the output based on the port number, do the following:
tcpdump – any interface -c 5 port 50
The above command only retrieves packets that have been transmitted over the specified port.
To get the package details for a specific host:
tcpdump – interface for any -c 5 host 18.104.22.168
If you want to filter packets sent or received by a specific host, use the option src or dst Argument with the command.
tcpdump – any interface -c 5 src 22.214.171.124
tcpdump – any interface -c 5 dst 126.96.36.199
You can also use the logical operators and and or combine two or more expressions together. For example, to get packets belonging to the source IP 188.8.131.52 and use the port 80::
tcpdump – any interface -c 10 src 184.108.40.206 and port 80
Complex expressions can be grouped with Brackets as follows:
tcpdump – any interface -c 10 "(src 220.127.116.11 or src 18.104.22.168) and (port 45 or port 80)"
5. View the contents of the package
You can use the … -A and -x Flags with the tcpdump command to analyze the contents of the network packet. The -A Flag stands for ASCII Format and -x designated hexadecimal Format.
To view the contents of the next network packet captured by the system:
tcpdump – any interface -c 1 -A
tcpdump – any interface -c 1 -x
6. Save the acquisition data to a file
If you want to save the acquisition data for reference purposes, tcpdump will help you. Just pass the -w Flag with the standard command to write the output to a file instead of displaying it on the screen.
tcpdump – any interface -c 10 -w data.pcap
The .pcap File extension stands for Packet capture Data. You can also run the above command in verbose mode with the command -v Flag.
tcpdump – any interface -c 10 -w data.pcap -v
To read a .pcap File with tcpdump, use the -r Flag followed by the file path. The -r stands for Read.
tcpdump -r data.pcap
You can also filter network packets from the packet data stored in the file.
tcpdump -r data.pcap port 80
Monitoring network traffic on Linux
If you've been tasked with managing a Linux server, the tcpdump command is an excellent tool to add to your arsenal. You can easily troubleshoot network problems by capturing real-time packets transmitted on your network.
Before doing this, however, your device must be connected to the Internet. For Linux beginners, it can even be a challenge to connect to WiFi from the command line. But if you use the right tools, it's a breeze.
Here's how to use Nmcli to connect to Wi-Fi through the Linux terminal
Would you like to connect to a Wi-Fi network using the Linux command line? Here's what you need to know about the nmcli command.
About the author
(37 articles published)
Deepesh is the junior editor for Linux at MUO. He has been writing informational content on the Internet for over 3 years. In his spare time he enjoys writing, listening to music and playing the guitar.
From Deepesh Sharma
Subscribe to our newsletter
Sign up for our newsletter to receive tech tips, reviews, free e-books, and exclusive offers!
One more step …!
Please confirm your email address in the email we just sent you.