The right way to Use tcpdump and 6 Examples

Are you trying to capture data packets to analyze traffic on your network? You may be a server administrator who has encountered a problem and wants to monitor the data transmitted over the network. In any situation, you will need the tcpdump Linux utility.

In this article, we are going to explain the tcpdump command in detail, along with some guides on how to install and use tcpdump on your Linux system.

What is the tcpdump command?

Tcpdump is a powerful network monitoring tool that enables a user to efficiently filter packets and traffic on a network. You can get detailed information about TCP / IP and the packets transmitted on your network. Tcpdump is a command line utility, which means you can run it on Linux servers with no display.

System administrators can also integrate the tcpdump utility with cron to automate various tasks like logging. Since tcpdump is very versatile due to its numerous functions, it serves both as a troubleshooting and as a security tool.

How to install tcpdump on Linux

While tcpdump is pre-installed on your system most of the time, some Linux distributions don't come with the package. Therefore, you may have to manually install the utility on your system.

You can check if tcpdump is installed on your system by running the Which Command.

which tcpdump

If the output shows a directory path (/ usr / bin / tcpdump), then your system has installed the package. If not, you can easily do so using the standard package manager on your system.

To install tcpdump on Debian-based distributions like Ubuntu:

sudo apt-get install tcpdump

Installing tcpdump on CentOS is also easy.

sudo yum install tcpdump

About Arch-based distributions:

sudo pacman -S tcpdump

To install on Fedora:

sudo dnf tcpdump install

Note that the tcpdump package is required libcap So as a dependency, make sure you install it on your system as well.

Tcpdump examples for capturing network packets on Linux

Now that you've successfully installed tcpdump on your Linux machine, it's time to start monitoring some packages. Since tcpdump requires superuser privileges to perform most of its operations, you will need to add sudo at your orders.

1. List all network interfaces

Use the button to check which network interfaces are available for collection -D Flag with the tcpdump command.

tcpdump -D

Past the –list-interfaces The flag as an argument returns the same output.

tcpdump –list-interfaces

The output is a list of all network interfaces present on your system.

Now that you've got the list of network interfaces, it's time to monitor your network by capturing packets on your system. Although you can specify which interface you want to use, you can use the any Argument commands tcpdump for capturing network packets over any active interface.

tcpdump – any interface

The system displays the following output.

Related: What Is the Open Systems Interconnection Model?

2. The tcpdump output format

Starting from the third line, each line of the output identifies a specific packet that is captured by tcpdump. This is what the output of a single package looks like.

17: 00: 25.369138 wlp0s20f3 Out IP localsystem.40310> Flags (P.), sequence 196: 568, ack 1, win 309, options (nop, nop, TS val 117964079 ) ecr 816509256), length 33

Note that not all packets are captured this way. However, this is the general format that most of them follow.

The output contains the following information.

  1. Timestamp of the received packet

  2. Interface name

  3. Packet flow

  4. Name of the network protocol

  5. IP address and port details

  6. TCP flags

  7. The sequence number of the data in the packet

  8. Confirm data

  9. Window size

  10. Package length

The first field (17: 00: 25.369138) shows the timestamp when your system sent or received the packet. The recorded time is extracted from the local time of your system.

The second and third fields designate the interface used and the packet flow. In the above excerpt wlp0s20f3 is the name of the wireless interface and out is the packet flow.

The fourth field contains information about the network protocol name. In general, you will find two logs: IP and IP6, where IP means IPV4 and IP6 means IPV6.

The next field contains the IP addresses or the names of the source and target systems. The port number follows the IP addresses.

The sixth field in the output consists of TCP flags. There are several flags that are used in the output from tcpdump.

Flag name value description
SYN S. The connection has started
FIN F. Connection terminated
TO PRESS P. Data is being pushed
RST R. The connection is reset
ACK . Knowledge

The output can also contain a combination of several TCP flags. For example, FLAG (f.) stands for a FIN-ACK package.

If you move around in the output section, the next field contains the sequence number (seq 196: 568) of the data in the package. The first packet always has a positive integer value, and subsequent packets use the relative sequence number to improve the flow of data.

The next field contains the confirmation number (ack 1) or simple confirmation number. The package recorded on the sender's computer has 1 as the confirmation number. At the end of the recipient, the confirmation number is the value of the next package.

The ninth field in the output contains the window size (Win 309), ie the number of bytes available in the receive buffer. There are several other fields that follow window size, including Maximum Segment Size (MSS).

The last field (Length 33) contains the length of the total package recorded by tcpdump.

3. Limit the number of packets captured

The first time you run the tcpdump command, you may find that the system continues to capture network packets until you pass an interrupt signal. You can override this default behavior by specifying the number of packets that you want to capture with the beforehand -c Flag.

tcpdump – any interface -c 10

The above command captures ten packets from each active network interface.

4. Filter packets based on fields

When you troubleshoot a problem, it doesn't get any easier to get a large block of text on your terminal. This is where the filter function in tcpdump comes into play. You can filter the packets based on various fields including host, protocol, port number and more.

Enter the following to capture only TCP packets:

tcpdump – any interface -c 5 tcp

If you want to filter the output based on the port number, do the following:

tcpdump – any interface -c 5 port 50

The above command only retrieves packets that have been transmitted over the specified port.

To get the package details for a specific host:

tcpdump – interface for any -c 5 host

If you want to filter packets sent or received by a specific host, use the option src or dst Argument with the command.

tcpdump – any interface -c 5 src
tcpdump – any interface -c 5 dst

You can also use the logical operators and and or combine two or more expressions together. For example, to get packets belonging to the source IP and use the port 80::

tcpdump – any interface -c 10 src and port 80

Complex expressions can be grouped with Brackets as follows:

tcpdump – any interface -c 10 "(src or src and (port 45 or port 80)"

5. View the contents of the package

You can use the … -A and -x Flags with the tcpdump command to analyze the contents of the network packet. The -A Flag stands for ASCII Format and -x designated hexadecimal Format.

To view the contents of the next network packet captured by the system:

tcpdump – any interface -c 1 -A
tcpdump – any interface -c 1 -x

Related: What Is Packet Loss and How To Fix It?

6. Save the acquisition data to a file

If you want to save the acquisition data for reference purposes, tcpdump will help you. Just pass the -w Flag with the standard command to write the output to a file instead of displaying it on the screen.

tcpdump – any interface -c 10 -w data.pcap

The .pcap File extension stands for Packet capture Data. You can also run the above command in verbose mode with the command -v Flag.

tcpdump – any interface -c 10 -w data.pcap -v

To read a .pcap File with tcpdump, use the -r Flag followed by the file path. The -r stands for Read.

tcpdump -r data.pcap

You can also filter network packets from the packet data stored in the file.

tcpdump -r data.pcap port 80

Monitoring network traffic on Linux

If you've been tasked with managing a Linux server, the tcpdump command is an excellent tool to add to your arsenal. You can easily troubleshoot network problems by capturing real-time packets transmitted on your network.

Before doing this, however, your device must be connected to the Internet. For Linux beginners, it can even be a challenge to connect to WiFi from the command line. But if you use the right tools, it's a breeze.

Here's how to use Nmcli to connect to Wi-Fi through the Linux terminal

Would you like to connect to a Wi-Fi network using the Linux command line? Here's what you need to know about the nmcli command.

Continue reading

About the author

Deepesh Sharma
(37 articles published)

Deepesh is the junior editor for Linux at MUO. He has been writing informational content on the Internet for over 3 years. In his spare time he enjoys writing, listening to music and playing the guitar.

From Deepesh Sharma

Subscribe to our newsletter

Sign up for our newsletter to receive tech tips, reviews, free e-books, and exclusive offers!

One more step …!

Please confirm your email address in the email we just sent you.

Leave a Reply

Your email address will not be published. Required fields are marked *