Tcpdump is a CLI tool to capture raw network packets. This tcpdump cheat sheet covers all the basic and advanced options for tcpdump command. It is very useful for various forms of network troubleshooting.
Table of Contents
Purpose of Tcpdump
This tool is mainly used for troubleshooting network problems. For example, if we can have a DNS query issue, we can use this command to capture all the DNS packets to check out what happened. We will have more examples in the following tcpdump cheat sheet.
We can use this tool for the following purpose.
- Troubleshoot network problems
- Examine security problems
- Debug protocol implementations
- Learn network protocols
Imagine you’re experiencing slow network performance on a specific host in your network. You want to investigate the cause of the slowdown. You can use tcpdump to capture and save packets.
Using tcpdump in conjunction with packet analysis tools like Wireshark provides a comprehensive approach to network troubleshooting, allowing you to delve deep into network traffic and gain valuable insights into network behavior and performance.
How to Run tcpdump?
We can run tcpdump in local server or remote server with an SSH session. It accepts many filters and allows us to display data about packets going in and out of an interface.
To run tcpdump in Linux, follow these steps:
- Open a terminal on your Linux system.
- Run the tcpdump command with appropriate options and filters. Here’s the basic syntax: sudo tcpdump [options] [filters]
The sudo command is used to run tcpdump with administrative privileges, as capturing network packets typically requires root access.
- Specify any desired options or filters based on your requirements. Some commonly used options include:
-i <interface>: Specifies the network interface to capture packets from. For example, -i eth0 captures packets from the eth0 interface.
-c <count>: Limits the number of packets to capture before exiting.
- Once you have specified the desired options and filters, press Enter to run the tcpdump command. tcpdump will start capturing packets based on your specified options and filters. It will display information about captured packets in the terminal window.
- Press Ctrl+C to stop the tcpdump process and exit.
Here’s a simple example of how to use tcpdump:
sudo tcpdump -i eth0
-i eth0: Specifies the network interface to capture packets from. In this example, we’re capturing packets from the eth0 interface.
When you run the above command, tcpdump will start capturing packets from the eth0 interface and display information about each packet in the terminal window.
It will show details such as source and destination IP addresses, protocol information, and packet contents.
You can press Ctrl+C to stop the tcpdump process and exit.
Remember to replace eth0 with the appropriate network interface on your system. You can use the ifconfig or ip addr command to list available network interfaces on your Linux system.
We can also save the packets for later analysis. Let’s see one more example.
Start capturing packets on the affected host’s network interface:
sudo tcpdump -i eth0 -w capture.pcap
This command captures packets on the eth0 interface and writes them to a file named capture.pcap for later analysis.
Let the tcpdump command run for a while, allowing it to capture a sufficient number of packets.
Stop tcpdump by pressing Ctrl+C when you have captured enough packets.
Analyze the captured packets using a packet analysis tool like Wireshark. Open the capture.pcap file in Wireshark, and it will provide a detailed breakdown of the captured packets.
You can use Wireshark’s powerful features to examine individual packets, identify network anomalies, analyze protocols, and detect any potential issues causing the slow network performance. Look for unusual patterns, excessive retransmissions, high response times, or any other indicators of network problems.
Basic Options In Tcpdump
Tcpdump command can be used to filter all different packets.
For more tcpdump command examples, please check here.
- tcpdump -i any Capture from all interfaces
- tcpdump -i eth0 Capture from specific interface ( Ex Eth0)
- tcpdump -i eth0 -c 10 Capture first 10 packets and exit
- tcpdump -D Show available interfaces
- tcpdump -i eth0 -A Print in ASCII
- tcpdump -i eth0 -w tcpdump.txt To save capture to a file
- tcpdump -r tcpdump.txt Read and analyze saved capture file
- tcpdump -n -i eth0 Do not resolve host names
- tcpdump -nn -i eth0 Stop Domain name translation and lookups
- tcpdump -i eth0 -c 10 -w tcpdump.pcap tcp Capture TCP packets only
- tcpdump -i eth0 port 80 Capture traffic from a defined port only
- tcpdump host 192.168.1.100 Capture packets from specific host
- tcpdump net 10.1.1.0/16 Capture files from network subnet
- tcpdump src 10.1.1.100 Capture from a specific source address
- tcpdump dst 10.1.1.100 Capture from a specific destination address
- tcpdump port 80 Filter traffic based on a port
- tcpdump portrange 21-125 Filter based on port range
- tcpdump IPV6 Show only IPV6 packets
Advanced Logical Operators in Tcpdump
We can get more advanced tcpdump command examples from here.
- tcpdump -n src 192.168.1.1 and dst port 21 Combine filtering options
- tcpdump dst 10.1.1.1 or !icmp Either of the condition can match
- tcpdump dst 10.1.1.1 and not icmp Negation of the condition
- tcpdump <32 Shows packets size less than 32
- tcpdump >=32 Shows packets size greater than 32
Tcpdump provides several options that enhance or modify its output. The following are the cheat sheet for tcpdump command.
|-i||Listen on the specified interface.|
|-n||Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.|
|-t||Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.|
|-X||Show the packet’s contents in both hex and ascii.|
|-v, -vv, -vvv||enables verbose logging/details (which among other things will give us a running total on how many packets are captured|
|-c N||Only get N number of packets and then stop.|
|-s||Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.|
|-S||Print absolute sequence numbers.|
|-q||Show less protocol information.|
|-w||Write the raw packets to file|
|-C file_size(M)||tells tcpdump to store up to x MB of packet data per file.|
|-G rotate_seconds||Create a new file every time the specified number of seconds has elapsed.|