tcpdump Command in Linux with 10 Examples

The tcpdump is a command line packet analyzer that allows you to capture and display the contents (header) of packets on the network interface. It is commonly used to troubleshoot network-related issues, monitor network traffic, and conduct network forensics.

Here we focus on:

• Understanding tcpdump output format
• Examples of using tcpdump filter for various scenarios.

Installation

tcpdump generally comes preinstalled in all popular Linux Distributions. It relies on the libpcap library to capture live network data.

Install tcpdump along with libpcap (comes as dependency package):

sudo apt install tcpdump ##Debian/Ubuntu
sudo yum install tcpdump ##Redhat
sudo dnf install tcpdump  ##Fedora
sudo pacman -S tcpdump  ##Arch Linux

Basic Usage

Default tcpdump starts capturing packets from the first available interface.

If you're unsure which interface tcpdump would use by default on your system, you can run:

tcpdump -D

Output:

1.eth0 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.dbus-system (D-Bus system bus) [none]
8.dbus-session (D-Bus session bus) [none]

This command lists all available interfaces. The first one in the list is typically the default interface.

The most common use case would specific interface using -i option:

sudo tcpdump -i eth0

To capture packets from all interfaces use -i with any keyword.

Output:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:13:25.684876 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 3482678743:3482678871, ack 725448014, win 501, length 128
22:13:25.684928 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 128:192, ack 1, win 501, length 64
22:13:25.684965 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 192:272, ack 1, win 501, length 80
22:13:25.684995 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 272:352, ack 1, win 501, length 80
22:13:25.685020 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 352:432, ack 1, win 501, length 80

To stop capturing, simply press CTRL +C.

You can use -c option to limit the number of packets:

sudo tcpdump -i enp0s3 -c 10

This captures 10 packets and then stops.

Interpret Output Format

Following is a sample single-line output from tcpdump looks like. Based the filter there might be some difference, but the general format is this.

22:13:25.684928 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 128:192, ack 1, win 501, length 64

let's break down the provided tcpdump output:

22:13:25.684928: This is the timestamp of when the packet was captured. The format is HH:MM:SS.microseconds.

IP: This is the protocol of the packet, in this case, IPv4.

173-230-141-59.ip.linodeusercontent.com.ssh: This is the source address, which has been resolved to a DNS name. The .ssh indicates that the source port is 22, which is the standard port for SSH (Secure Shell).

>: This indicates the direction of the packet, going from source to destination.

n58-108-68-190.meb1.vic.optusnet.com.au.63751: This is the destination address (again resolved to a DNS name). The .63751 indicates the destination port number, which is an ephemeral (random high number) port

Flags [P.]:

• The flags field provides information about the TCP flags set in the packet.
• P: Indicates that this is a packet with the "Push" flag set, meaning the receiver should pass this data to the application as soon as possible.
• .: The dot indicates that the ACK (Acknowledgment) flag is also set, meaning this packet is also acknowledging received data.

seq 128:192: This refers to the sequence numbers for the TCP segment. This particular segment is sending bytes 128 through 191 (so 192 is the next expected byte).

ack 1: This indicates the acknowledgment number. It means that the sender of this packet is expecting the next byte from the other side to be byte number 1.

win 501: This is the window size, which informs the recipient of the packet how many bytes the sender can accept in the next return segments before requiring an acknowledgment. In this case, it can accept up to 501 bytes.

length 64: This indicates the data length of the TCP segment, which in this case, is 64 bytes.

The general TCP flag and its respective letters are:

• S (SYN): Initiate a new connection.
• A (ACK): Acknowledge receipt of a packet.
• F (FIN): Finish; signal the end of a session.
• R (RST): Reset the connection.
• P (PSH): Push the buffered data to the receiving application immediately.
• U (URG): Data in the packet is urgent.

tcpdump Examples

Here are some more detailed examples of using tcpdump for various scenarios.

1. Capture without DNS Resolution

Use -nn to avoid converting host addresses and port to to their respective names.

sudo tcpdump -nn

This makes the output quicker and easier for scripts as it avoids DNS resolution.

2. Display captured packet in ASCII

Use -A option to print packet content in ASCII. It is useful especially to examine the human-readable text content of the packet.

sudo tcpdump -A

3. Capture packets of a specific protocol

For example lets capture packets only for ICMP

sudo tcpdump icmp

4. Capture packets based on source, destination and port

sudo tcpdump -i eth0 src 192.168.1.10 and dst 192.168.1.2 and dst port 80

This starts capturing packets originating from 192.168.1.10, destined for 192.168.1.2, and targeting port 80 on 192.168.1.2.

Note: You can use not operator to exclude traffic for specified criteria.

5. Capture specific network traffic

sudo tcpdump net 10.0.2.0/25

This capture packets involving the IP network range 10.0.2.0/25.

6. More detailed the output

Use 3 v to get maximum verbosity for detailed output:

sudo tcpdump -vvv

7. Capture packets based on packet size

Use less or greater qualifiers to filter packets based on their size.

sudo tcpdump less 64 ##captures packets that are smaller than 64 bytes
sudo tcpdump greater 1000 ###captures packets larger than 1000 bytes. 

8. Filter packets based on specific TCP flags

This filters out only TCP SYN packets:

sudo tcpdump 'tcp[13] & 2 != 0'

To filter out only TCP ACK packets:

sudo tcpdump 'tcp[13] & 16 != 0'

The values (e.g., 2, 16) are the respective positions of these flags in the TCP header.

9. Filter packets based on specific TTL

sudo tcpdump -v 'ip[8] = 64'

Where,

• ip[8]: This denotes the 9th byte in the IP header (considering that the index starts at 0). The 9th byte of the IP header corresponds to the Time To Live (TTL) value for the packet.
• = 64: This checks if the TTL value is set to 64.

10. Save packets to a file for later inspect

Use -w option to save raw packets to a file instead of displaying on the screen.

Example:

sudo tcpdump -i any -w /path/to/outputfile.pcap

You can use tcpdump to read the from the file using -r option. Other packet analysis tools like Wireshark can also read pcap

sudo tcpdump -r /path/to/outputfile.pcap

Instead of reading from from interface tcpdump read from the specified file.

For an exhaustive list and details, refer to the tcpdump man page by typing man tcpdump in the terminal.