In this tutorial, we will learn 10 useful Linux tcpdump examples and tcpdump options to analyze the traffic flow on a Linux machine.
This tutorial covers the basic tcpdump filters like source ip, host, interface, specific port, udp port, write to file, all interfaces etc.
- Capture traffic on specific interface ( -i)
- Capture ip or host-specific packets
- Capture packets on a specific port (port)
- Write packets to a file ( -w )
- Capture packets from a specific protocol
- Filter tcpdump packets from specific source & dest host
- Rotate tcpdump packets
- Capture Multiple hosts with tcpdump
- Filter Multiple ports with tcpdump
- Filter Multiple interfaces
Capture traffic on specific interface
-i any means all the interfaces.
$ tcpdump -i ens160
$ tcpdump -i any
Capture ip host-specific packets
$ tcpdump -i ens160 -c 5 host 140.240.61.21
Capture packets on a specific port
$ tcpdump -i any port 8000
Write packets to a file ( -w )
$ tcpdump -c 5 -w network_file_linux.pcap -i any
Capture packets from a specific protocol
$ tcpdump -i ens160 -c 5 -nn tcp
Filter tcpdump packets from specific source & dest host
$ tcpdump src 100.10.8.121
$ tcpdump dst 14.211.62.121
Rotate tcpdump packets
$ tcpdump -i ens160 -w /tmp/network-%H-%M.pcap -W 48 -G 300 -C 100
-C file_size (M) -G rotate_seconds -W filecount
tcpdump -G 100 -W 3 -w network-%H-%M.pcap port 19096
1 root wheel 384881 Feb 13 17:09 network-17-08.pcap
1 root wheel 2096619 Feb 13 17:11 network-17-09.pcap
1 root wheel 320744 Feb 13 17:13 network-17-11.pcap
Capture Multiple hosts with tcpdump
$ tcpdump src 192.168.0.10 or src 192.168.0.10
Filter Multiple ports with tcpdump
$ tcpdump -i eth0 port 22 or port 9402
Filter All interfaces
$ tcpdump -i any
$ tcpdump -i eth0 arp or icmp and host 192.168.0.10
Tcpdump command options summary
Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.
- -i : Listen on the specified interface.
- -n: Don’t resolve hostnames. We can use -nn to don’t resolve hostnames or port names.
- -t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
- -X: Show the packet’s contents in both hex and ascii.
- -v, -vv, -vvv: Increase the amount of packet information you get back.
- -c N: Only get N number of packets and then stop.
- -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
- -S: Print absolute TCP sequence numbers.
- -q: Show less protocol information.
- -w : Write the raw packets to file rather
- -C file_size(M)
- -G rotate_seconds
Related Post: