Skip to Content

10 Useful tcpdump examples on Linux

Tcpdump is a powerful command-line packet analyzer tool used in Unix and Linux operating systems. It allows users to capture and display network packets flowing through a network interface in real-time or saved to a file for later analysis.

This tutorial covers the basic tcpdump filters like source ip, host, interface, specific port, udp port, write to file, all interfaces etc.

  • Capture traffic on specific interface ( -i)
  • Capture ip or host-specific packets
  • Capture packets on a specific port (port)
  • Write packets to a file ( -w )
  • Capture packets from a specific protocol
  • Filter tcpdump packets from specific source & dest host
  • Rotate tcpdump packets
  • Capture Multiple hosts with tcpdump
  • Filter Multiple ports with tcpdump
  • Filter Multiple interfaces

 

 

understanding tcpdump filters

Tcpdump filters can be used to filter the packets that are captured by tcpdump. There are a few different types of filters that can be used, including keyword filters, expression filters, and protocol filters.

A keyword filter can be used to filter the packets that are captured by tcpdump based on a specific keyword. The keyword can be used to filter the packets that are captured by tcpdump based on the source, destination, port or host.

An expression filter is a type of filter that allows you to specify a mathematical expression. Tcpdump will then capture all packets that match the specified expression like and or.

A protocol filter is a type of filter that allows you to specify the protocol that you want to capture. Tcpdump will then capture all packets that belong to the specified protocol.

Some of the most popular protocols that can be captured with tcpdump include TCP, UDP, and ICMP.

tcpdump options

Some of the most popular options that can be used with tcpdump include -n, -r, -s, and -w.

  • -n: This option tells tcpdump to not resolve hostnames.
  • -r: This option tells tcpdump to read from a file instead of from the network.
  • -s: This option tells tcpdump to capture the specified number of bytes from each packet.
  • -w: This option tells tcpdump to write the captured packets to a file.

 

Capture traffic on specific interface

-i any means all the interfaces.

$ tcpdump -i ens160
$ tcpdump -i any

Capture ip host-specific packets

$ tcpdump -i ens160 -c 5 host 140.240.61.21

Capture packets on a specific port

$ tcpdump -i any port 8000

Write packets to a file

$ tcpdump -c 5 -w network_file_linux.pcap -i any

Capture packets from a specific protocol

$ tcpdump -i ens160 -c 5 -nn tcp

Filter tcpdump packets from specific source & dest host

$ tcpdump src 100.10.8.121

$ tcpdump dst 14.211.62.121

Rotate tcpdump packets

$ tcpdump -i ens160 -w /tmp/network-%H-%M.pcap -W 48 -G 300 -C 100

  • -C file_size (M)
  • -G rotate_seconds
  • -W filecount

 

tcpdump -G 100 -W 3 -w network-%H-%M.pcap port 19096

1 root wheel 384881 Feb 13 17:09 network-17-08.pcap
1 root wheel 2096619 Feb 13 17:11 network-17-09.pcap
1 root wheel 320744 Feb 13 17:13 network-17-11.pcap

Capture Multiple hosts with tcpdump

$ tcpdump src 192.168.0.10 or src 192.168.0.10

Filter Multiple ports with tcpdump

$ tcpdump -i eth0 port 22 or port 9402

Filter All interfaces

$ tcpdump -i any

$ tcpdump -i eth0 arp or icmp and host 192.168.0.10

Tcpdump command options summary

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

  • -i: Listen on the specified interface.
  • -n: Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
  • -t: Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
  • -X: Show the packet’s contents in both hex and ascii.
  • -v, -vv, -vvv: Enables verbose logging/details (which among other things will give us a running total on how many packets are captured.
  • -c N: Only get N number of packets and then stop.
  • -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S: Print absolute sequence numbers.
  • -q: Show less protocol information.
  • -w: Write the raw packets to file.
  • -C file_size(M): Tells tcpdump to store up to x MB of packet data per file.
  • -G rotate_seconds: (Missing description)

Related Post: