Network is a signification component of the modern information technology infrastructure. A secure network ensures the absolute safety of your critical business data. Network connectivity issues may make your data inaccessible and such issues might be difficult to troubleshoot. Linux provides the tcpdump utility to capture and analyze the network traffic on your computer and to help you troubleshoot network issues.
In this tutorial, we will learn how to use the tcpdump command in Linux with some practical examples.
Tcpdump Command
The tcpdump is a powerful command-line tool that is used to analyze packages or sniffer captured packets. It filters or captures TCP/IP packets transferred or received on a particular interface over a network. Tcpdump is pre-installed on most Linux distributions. This tool can be run either as a scheduled job using cron or launched in the background.
You can also use the tcpdump utility to save the network traffic data to analyze later. The file is saved in the pcap file format, which you can view using either the tcpdump command or any other tool that can open and read the pcap capture file.
The tcpdump command prints packet descriptions on a particular network interface, which match the specified Boolean expression. The description includes a time stamp as hours, minutes, and seconds.
Syntax
The basic syntax of the tcpdump command in Linux is as follows:
sudo tcpdump [options] [network_name] [port_number]
Installation
Most modern Linux distributions have the tcpdump utility preinstalled. To make sure it is installed on your computer, run this command:
which tcpdump
If the command comes back with a path, then the tool is already installed. However, if it does not return the path, then you must install the command manually. For example, on an Ubuntu Linux computer, type:
sudo apt install tcpdump
On any other Linux distribution, you must use the installation command that works on your distribution. For example, on RHEL, use the following command:
sudo yum install tcpdump
Capture Traffic
The tcpdump command can capture the traffic on different interfaces, hosts, and protocols. The following examples show you how to use the tcpdump command in Linux to capture traffic.
Capture Packets all Interfaces Traffic
Use the tcpdump command without any options to capture and analyze traffic on all the network interfaces:
sudo tcpdump
Press the Ctrl + C keys to stop the tcpdump command output.
Use the -i option to capture packets on a particular network interface and the -c option to display only the specified number of captured packets. In this tcpdump example, we limit the output to 10 packets on the enp0s3 network interface, use the following command:
sudo tcpdump -i enp0s3 -c 10
The output will look like this:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:27:47.585187 IP linux.38287 > dsldevice.lan.domain: 56200+ AAAA? connectivity-check.ubuntu.com. (47)
10:27:47.601123 IP dsldevice.lan.domain > linux.38287: 56200 0/1/0 (108)
10:27:47.602585 IP linux.54133 > dsldevice.lan.domain: 6111+ AAAA? connectivity-check.ubuntu.com. (47)
10:27:47.620748 IP dsldevice.lan.domain > linux.54133: 6111 0/1/0 (108)
10:27:47.667228 IP linux.41629 > dsldevice.lan.domain: 51276+ PTR? 1.1.168.192.in-addr.arpa. (42)
10:27:47.670710 IP dsldevice.lan.domain > linux.41629: 51276 1/0/0 PTR dsldevice.lan. (69)
10:27:47.671017 IP linux.58303 > dsldevice.lan.domain: 18431+ PTR? 15.2.0.10.in-addr.arpa. (40)
10:27:48.010744 IP dsldevice.lan.domain > linux.58303: 18431 NXDomain 0/1/0 (117)
10:27:52.703205 ARP, Request who-has _gateway tell linux, length 28
10:27:52.703307 ARP, Reply _gateway is-at 52:54:00:12:35:02 (oui Unknown), length 46
10 packets captured
12 packets received by filter
0 packets dropped by kernel
Capture Specific Host Traffic
Use the tcpdump command with the host option to capture packets on a particular host:
sudo tcpdump -c 10 host 10.0.2.15
The output will show both the request and response packets:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:22:13.706803 IP linux.59594 > master2.openshift4.gnome.org.https: Flags [P.], seq 2387552577:2387552601, ack 129736654, win 62780, length 24
16:22:13.706856 IP linux.59594 > master2.openshift4.gnome.org.https: Flags [F.], seq 24, ack 1, win 62780, length 0
16:22:13.707367 IP master2.openshift4.gnome.org.https > linux.59594: Flags [.], ack 24, win 65535, length 0
16:22:13.707384 IP master2.openshift4.gnome.org.https > linux.59594: Flags [.], ack 25, win 65535, length 0
16:22:13.772144 IP linux.40665 > dsldevice.lan.domain: 13645+ PTR? 15.2.0.10.in-addr.arpa. (40)
16:22:13.906131 IP linux.34501 > dsldevice.lan.domain: 16828+ A? api.snapcraft.io. (34)
16:22:13.906188 IP linux.45385 > dsldevice.lan.domain: 25718+ AAAA? api.snapcraft.io. (34)
16:22:13.927026 IP dsldevice.lan.domain > linux.45385: 25718 0/1/0 (98)
16:22:13.927043 IP dsldevice.lan.domain > linux.34501: 16828 4/3/0 A 185.125.188.60, A 185.125.188.58, A 185.125.188.54, A 185.125.188.57 (165)
16:22:13.927449 IP linux.33552 > api.snapcraft.io.https: Flags [S], seq 920962591, win 64240, options [mss 1460,sackOK,TS val 4211228070 ecr 0,nop,wscale 7], length 0
10 packets captured
29 packets received by filter
0 packets dropped by kernel
Capture Specific Protocol Traffic
You can choose to display traffic on a particular port either Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP). The following example displays the TCP packets:
sudo tcpdump -i enp0s3 -c 10 -nn tcp
The following command-line output shows output of the 10 captured packets for TCP port:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:12:08.132541 IP 10.0.2.15.50310 > 185.125.188.57.443: Flags [S], seq 1020423428, win 64240, options [mss 1460,sackOK,TS val 100342164 ecr 0,nop,wscale 7], length 0
16:12:08.290876 IP 185.125.188.57.443 > 10.0.2.15.50310: Flags [S.], seq 104320001, ack 1020423429, win 65535, options [mss 1460], length 0
16:12:08.290904 IP 10.0.2.15.50310 > 185.125.188.57.443: Flags [.], ack 1, win 64240, length 0
16:12:08.291084 IP 10.0.2.15.50310 > 185.125.188.57.443: Flags [P.], seq 1:265, ack 1, win 64240, length 264
16:12:08.291347 IP 185.125.188.57.443 > 10.0.2.15.50310: Flags [.], ack 265, win 65535, length 0
16:12:08.452592 IP 185.125.188.57.443 > 10.0.2.15.50310: Flags [P.], seq 1:1413, ack 265, win 65535, length 1412
16:12:08.452607 IP 10.0.2.15.50310 > 185.125.188.57.443: Flags [.], ack 1413, win 63540, length 0
16:12:08.453616 IP 185.125.188.57.443 > 10.0.2.15.50310: Flags [P.], seq 1413:2825, ack 265, win 65535, length 1412
16:12:08.453620 IP 10.0.2.15.50310 > 185.125.188.57.443: Flags [.], ack 2825, win 63540, length 0
16:12:08.453629 IP 185.125.188.57.443 > 10.0.2.15.50310: Flags [P.], seq 2825:3554, ack 265, win 65535, length 729
10 packets captured
17 packets received by filter
0 packets dropped by kernel
Use ICMP to see all ICMP packets. The IPv6 network is configured to receive ICMP packets.
Capture Specific Network Traffic
The tcpdump utility supports the -net option that can be used to capture incoming and outgoing traffic from a particular network. For example, the following command displays traffic from the 10.0.2.0 IP address:
sudo tcpdump -c 10 net 10.0.2.0/25
This output shows traffic for the 10 packets:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:24:53.679364 IP linux.33338 > dsldevice.lan.domain: 33675+ A? api.snapcraft.io. (34)
16:24:53.679441 IP linux.49629 > dsldevice.lan.domain: 9478+ AAAA? api.snapcraft.io. (34)
16:24:53.698728 IP dsldevice.lan.domain > linux.33338: 33675 4/0/0 A 185.125.188.60, A 185.125.188.58, A 185.125.188.54, A 185.125.188.57 (98)
16:24:53.767618 IP linux.41738 > dsldevice.lan.domain: 43689+ PTR? 1.1.168.192.in-addr.arpa. (42)
16:24:53.770832 IP dsldevice.lan.domain > linux.41738: 43689 1/0/0 PTR dsldevice.lan. (69)
16:24:53.771876 IP linux.52528 > dsldevice.lan.domain: 30589+ PTR? 15.2.0.10.in-addr.arpa. (40)
16:24:53.833341 IP dsldevice.lan.domain > linux.49629: 9478 0/1/0 (98)
16:24:53.834311 IP linux.33554 > api.snapcraft.io.https: Flags [S], seq 1445631099, win 64240, options [mss 1460,sackOK,TS val 4211387976 ecr 0,nop,wscale 7], length 0
16:24:53.985776 IP api.snapcraft.io.https > linux.33554: Flags [S.], seq 146752001, ack 1445631100, win 65535, options [mss 1460], length 0
16:24:53.985827 IP linux.33554 > api.snapcraft.io.https: Flags [.], ack 1, win 64240, length 0
10 packets captured
13 packets received by filter
0 packets dropped by kernel
Capture packets in ASCII
Use the -A option to display the information about the captured packages in the American Standard Code for Information Interchange (ASCII) code format:
sudo tcpdump -A -i enp0s3 -c 5
This output shows information about the 5 packets:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:39:55.610038 IP linux.57866 > alphyn.canonical.com.ntp: NTPv4, Client, length 48
[email protected]@.y.
...[.[..
.{.8..#........................................c..$\..
06:39:55.660009 IP linux.33820 > dsldevice.lan.domain: 23713+ PTR? 157.91.189.91.in-addr.arpa. (44)
[email protected]
..........5.4..\............157.91.189.91.in-addr.arpa.....
06:39:55.886328 IP dsldevice.lan.domain > linux.33820: 23713 1/3/0 PTR alphyn.canonical.com. (132)
[email protected]
....5......\............157.91.189.91.in-addr.arpa..................alphyn canonical.com..............ns1.?.............ns3.?.............ns2.?
06:39:55.886685 IP linux.59961 > dsldevice.lan.domain: 20058+ PTR? 15.2.0.10.in-addr.arpa. (40)
[email protected]
........9.5.0..NZ...........15.2.0.10.in-addr.arpa.....
06:39:55.898156 IP alphyn.canonical.com.ntp > linux.57866: NTPv4, Server, length 48
[email protected][.[.
....{.
.8..$......... J.....c|.X....c..$\...c.......c....v.
5 packets captured
8 packets received by filter
0 packets dropped by kernel
Capture IPv6 packets
Use the ip6 option to display traffic coming from an IPv6 network:
sudo tcpdump -nn ip6
Every output string shows you that the output string is for an IPv6 network connection:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:45:42.755384 IP6 fe80::e7f5:a2f2:2058:e62b > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
06:45:43.323371 IP6 fe80::e7f5:a2f2:2058:e62b > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
06:45:43.903355 IP6 fe80::e7f5:a2f2:2058:e62b > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
06:47:21.882541 IP6 fe80::e7f5:a2f2:2058:e62b.5353 > ff02::fb.5353: 0 [2q] PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. (45)
06:47:51.067731 IP6 fe80::e7f5:a2f2:2058:e62b > ff02::2: ICMP6, router solicitation, length 8
In the above example, we see ICMP echo request. If IPv6 is configured on a different port, then ICMP echo requests are not shown.
Tcpdump Output Format
Tcpdump can capture and decode several network protocols, including ICMP, TCP, and UDP ports. In this tutorial, we can discuss only one protocol and we are covering the TCP port packages. To know more about the other network protocol packets, refer to the tcpdump manual pages.
The following example shows a generic TCP port package that is captured by the tcpdump utility:
12:23:06.078217 IP linux.41652 > api.snapcraft.io.https: Flags [P.], seq 1634:1658, ack 8563, win 62780, length 24
You may see different fields depending on the packet type that is being sent, but the general format of these fields will be like this:
- Timestamp- The very first field denotes the local system time when the packet was sent, for example, 12:23:06.078217.
- IP Protocol- The next field denotes the network layer protocol that is being used for this transaction. If the value is IP, then the protocol is IPv4 and if the value is IP6, then the protocol is IPv6.
- Source IP/host and Port- The next field denotes the IP address and the port from which the packet originated. For example, linux.41652.
After the initial fields, as described in the previous list, you will see the TCP header flags. The most common flag values are described in the following table:
Displayed Value | Flag Type | Description |
---|---|---|
P | PUSH | Identifies the transaction type. |
. | ACK | Denotes transaction acknowledgment. |
S | SYN | Represents the connection start operation. |
F | FIN | Represents the connection finish operation. |
R | RST | Represents the connection reset operation. |
After the TCP flags, you will see the sequence number of the packet data. This is an absolute number for the first captured packet. A relative number is assigned to the subsequent packets so that it is easy to follow. In the above example, we have a sequence number of seq 1634:1658, which represents this particular packet contains bytes from 1634 to 1658.
The sequence number is followed by the acknowledgment number, which is 8563 in this case. This is an example of the side that is receiving the data, but it could be different for the side that is sending the data. For the side receiving data, the ack field denotes the next expected bytes.
The acknowledgment number field is followed by the window size, which is win 62780 in this case. This field denotes the total bytes available in the receiving buffer. After this value, you might also see other TCP options, such as Window Scale or Maximum Segment Size (MSS).
The last field we have is the packet length, which is length 24 in this case. This field denotes the total length of the payload in bytes. The payload length is the difference between the first and last bytes in the series.
Now let's learn how to filter packets to narrow down results and make it easier to troubleshoot specific issues.
Tcpdump Filter
The tcpdump command-line utility captures several packets and not all these packets may not be related to the current issue that you are troubleshooting. In this section, we will learn how to narrow down the search results using the packet filters with this command. This is helpful while troubleshooting specific issues. For example, to troubleshoot connectivity issues on your network on a particular port, then you can filter the results using tcpdump command-line options.
Tcpdump provides a number of parameters to filter the results and it is one of the most significant features of this command. Some of the most common filters are ports, protocols, IP addresses, and hostname. Let's understand these filters with examples and use cases.
Filter Results by Protocol
Specify the protocol in the command line to filter the network packets based on the specified protocol. Use the following command to capture packets only for the UDP ports:
sudo tcpdump -i any -c 5 udp
The following output shows 5 packets out of 34 packets sent or received on the UDP protocol:
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:43:47.158984 lo In IP localhost.59753 > localhost.domain: 7177+ [1au] A? api.snapcraft.io. (45)
17:43:47.159001 lo In IP localhost.59753 > localhost.domain: 65029+ [1au] AAAA? api.snapcraft.io. (45)
17:43:47.159357 enp0s3 Out IP linux.38691 > dsldevice.lan.domain: 6395+ [1au] A? api.snapcraft.io. (45)
17:43:47.159480 enp0s3 Out IP linux.59285 > dsldevice.lan.domain: 37871+ [1au] AAAA? api.snapcraft.io. (45)
17:43:47.167949 lo In IP localhost.49477 > localhost.domain: 18340+ [1au] PTR? 53.0.0.127.in-addr.arpa. (52)
5 packets captured
34 packets received by filter
0 packets dropped by kernel
Filter Results by Host
For capturing packets related only to a specified host IP address, use the following command:
sudo tcpdump -i any -c 5 host 127.0.0.1
In the following example, the tcpdump command captures packets either sent or received by the 127.0.0.1 host IP address:
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:48:56.087726 lo In IP localhost.57052 > localhost.domain: 64012+ [1au] PTR? 2.11.26.104.in-addr.arpa. (53)
17:48:56.108411 lo In IP localhost.domain > localhost.57052: 64012 NXDomain 0/1/1 (115)
17:48:56.128202 lo In IP localhost.39920 > localhost.domain: 63687+ [1au] PTR? 53.0.0.127.in-addr.arpa. (52)
17:48:56.128331 lo In IP localhost.domain > localhost.39920: 63687*$ 1/0/1 PTR localhost. (75)
17:48:57.093728 lo In IP localhost.39709 > localhost.domain: 43383+ [1au] PTR? 2.11.26.104.in-addr.arpa. (53)
5 packets captured
12 packets received by filter
0 packets dropped by kernel
Filter Results by Port
Use the port filter to narrow down the tcpdump results based on a specific port numbers or services:
sudo tcpdump -i any -c5 -nn port 53
The following output shows you how to capture all the packets on the port number 53 for a DNS service:
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:57:40.505198 lo In IP 127.0.0.1.41021 > 127.0.0.53.53: 6983+ [1au] A? api.snapcraft.io. (45)
17:57:40.505224 lo In IP 127.0.0.1.41021 > 127.0.0.53.53: 10562+ [1au] AAAA? api.snapcraft.io. (45)
17:57:40.505479 enp0s3 Out IP 10.0.2.15.34481 > 192.168.1.1.53: 46005+ A? api.snapcraft.io. (34)
17:57:40.505718 enp0s3 Out IP 10.0.2.15.41268 > 192.168.1.1.53: 55226+ AAAA? api.snapcraft.io. (34)
17:57:40.523896 enp0s3 In IP 192.168.1.1.53 > 10.0.2.15.41268: 55226 0/1/0 (98)
5 packets captured
12 packets received by filter
0 packets dropped by kernel
Filter Results by Source IP/hostname
You can also use a hostname, destination port, source IP address, or a destination IP addresses as a filter to narrow down your search results.
The following command example shows you how to capture packets originated from 127.0.0.1 IP address:
sudo tcpdump -i any -c5 -nn src 127.0.0.1
This source IP address example shows that there can be multiple services that can send the packets. In this example, you do not see the response packets because their source IP is different.
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:41:49.833952 lo In IP 127.0.0.1.35752 > 127.0.0.53.53: 59749+ [1au] A? api.snapcraft.io. (45)
10:41:49.833965 lo In IP 127.0.0.1.35752 > 127.0.0.53.53: 2912+ [1au] AAAA? api.snapcraft.io. (45)
10:41:52.065730 lo In IP 127.0.0.1.39444 > 127.0.0.53.53: 840+ [1au] A? connectivity-check.ubuntu.com. (58)
10:41:52.065744 lo In IP 127.0.0.1.39444 > 127.0.0.53.53: 29260+ [1au] AAAA? connectivity-check.ubuntu.com. (58)
10:41:53.427156 lo In IP 127.0.0.1.5353 > 224.0.0.251.5353: 0 [2q] PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. (45)
5 packets captured
10 packets received by filter
0 packets dropped by kernel
Similarly, you can also filter the packets by the destination IP address or hostname using the dst filter:
sudo tcpdump -i any -c5 -nn dst 127.0.0.1
In the following output, all packets received by the specified destination IP address, 127.0.0.1, are listed:
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:45:56.104368 lo In IP 127.0.0.53.53 > 127.0.0.1.59074: 53172 0/1/1 (119)
10:45:57.305740 lo In IP 127.0.0.53.53 > 127.0.0.1.46290: 35587 4/0/1 AAAA 2620:2d:4000:1::19, AAAA 2001:67c:1562::18, AAAA 2620:2d:4000:1::16, AAAA 2001:67c:1562::15 (159)
10:45:57.316059 lo In IP 127.0.0.53.53 > 127.0.0.1.46290: 55303 4/0/1 A 91.189.91.38, A 91.189.91.39, A 185.125.190.36, A 185.125.190.39 (111)
10:46:35.110882 lo In IP 127.0.0.53.53 > 127.0.0.1.33579: 57906 5/0/1 A 91.189.91.157, A 185.125.190.56, A 185.125.190.58, A 185.125.190.57, A 91.189.94.4 (123)
10:46:36.142653 lo In IP 127.0.0.53.53 > 127.0.0.1.33579: 49975 3/0/1 AAAA 2620:2d:4000:1::41, AAAA 2620:2d:4000:1::3f, AAAA 2620:2d:4000:1::40 (127)
5 packets captured
10 packets received by filter
0 packets dropped by kernel
Combine Filters to Create Complex Expressions
You can even use logical operators (and and or) to create complex expression of filters, if the above filters do not meet your requirements. This option helps you create expressions that can filter results based on multiple criteria.
In the following example, we are searching for the packages that are originated from the 127.0.0.1 IP address and are for the service DNS on port 53:
sudo tcpdump -i any -c10 -nn src 127.0.0.1 and port 53
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:06:21.384082 lo In IP 127.0.0.1.50465 > 127.0.0.53.53: 267+ [1au] A? api.snapcraft.io. (45)
11:06:21.384093 lo In IP 127.0.0.1.50465 > 127.0.0.53.53: 42249+ [1au] AAAA? api.snapcraft.io. (45)
11:06:21.438230 lo In IP 127.0.0.1.60507 > 127.0.0.53.53: 4654+ [1au] A? wpad. (33)
11:06:21.438338 lo In IP 127.0.0.1.60507 > 127.0.0.53.53: 12832+ [1au] AAAA? wpad. (33)
11:06:21.438379 lo In IP 127.0.0.1.60507 > 127.0.0.53.53: 4654+ [1au] A? wpad. (33)
11:06:21.438405 lo In IP 127.0.0.1.60507 > 127.0.0.53.53: 12832+ [1au] AAAA? wpad. (33)
11:06:21.438815 lo In IP 127.0.0.1.43755 > 127.0.0.53.53: 27128+ [1au] A? wpad. (33)
11:06:21.439048 lo In IP 127.0.0.1.43755 > 127.0.0.53.53: 32763+ [1au] AAAA? wpad. (33)
11:06:21.439097 lo In IP 127.0.0.1.43755 > 127.0.0.53.53: 27128+ [1au] A? wpad. (33)
11:06:21.439121 lo In IP 127.0.0.1.43755 > 127.0.0.53.53: 32763+ [1au] AAAA? wpad. (33)
10 packets captured
32 packets received by filter
0 packets dropped by kernel
How to Save a Tcpdump Capture File
Tcpdump enables you to save the captured data to a file for analyzing the results later or for sending the files to support teams. This also helps you capture packets at a specified time like overnight and to verify the captured results later. Also, if the number of packets is higher, then it could be difficult to read the packets in real time as this happens fast.
The results are saved to a PCAP file. The PCAP extension means packet capture. Use the -w option with tcpdump to save the results to a PCAP file:
sudo tcpdump -i any -c7 -nn -w dns.pcap port 53
In this example, a snapshot of the data is captured and stored in the specified PCAP file, but you do not see the packets on your screen:
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
7 packets captured
12 packets received by filter
0 packets dropped by kernel
The above command captures only 7 packets and saves them to a binary file. This file cannot be opened with a text editor. Use tcpdump with the -r option to read the file:
tcpdump -nn -r dns.pcap
You do not require the sudo privileges to read a PCAP file because the command is not capturing the content in real-time from the network interface.
reading from file dns.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
11:41:27.602500 lo In IP 127.0.0.1.45960 > 127.0.0.53.53: 55577+ [1au] A? api.snapcraft.io. (45)
11:41:27.602515 lo In IP 127.0.0.1.45960 > 127.0.0.53.53: 51484+ [1au] AAAA? api.snapcraft.io. (45)
11:41:27.602719 enp0s3 Out IP 10.0.2.15.59283 > 192.168.1.1.53: 31340+ [1au] A? api.snapcraft.io. (45)
11:41:27.602923 enp0s3 Out IP 10.0.2.15.38412 > 192.168.1.1.53: 48677+ [1au] AAAA? api.snapcraft.io. (45)
11:41:27.621483 enp0s3 In IP 192.168.1.1.53 > 10.0.2.15.59283: 31340 4/0/1 A 185.125.188.58, A 185.125.188.54, A 185.125.188.57, A 185.125.188.60 (109)
11:41:27.621704 lo In IP 127.0.0.53.53 > 127.0.0.1.45960: 55577 4/0/1 A 185.125.188.58, A 185.125.188.54, A 185.125.188.57, A 185.125.188.60 (109)
11:41:27.623085 enp0s3 In IP 192.168.1.1.53 > 10.0.2.15.38412: 48677 0/1/1 (109)
Tcpdump filters also work when you read content from a PCAP file. For example, to display packets that are originated from the 127.0.0.1 IP address in the PCAP file, use the following command:
tcpdump -nn -r dns.pcap src 127.0.0.1
The following output shows results that meet the specified criteria:
reading from file dns.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
11:41:27.602500 lo In IP 127.0.0.1.45960 > 127.0.0.53.53: 55577+ [1au] A? api.snapcraft.io. (45)
11:41:27.602515 lo In IP 127.0.0.1.45960 > 127.0.0.53.53: 51484+ [1au] AAAA? api.snapcraft.io. (45)
How to Read PCAP File
Use the -r option to read contents for a PCAP file where you stored the results of tcpdump. For example, to open a file named interconnect.pcap from the current directory, type:
tcpdump -r interconnect.pcap
You cannot open and read a PCAP file using any other Linux command, such as cat or less. Trying to open this file using other commands give you an error. For example:
cat dns.pcap
You can share a PCAP file with normal users to read the file and analyze it without providing them the sudo privileges.
Tcpdump Options
The following table describes some of the most commonly used options supported by tcpdump to display required packets:
Options | Description |
---|---|
-i <interface> | Specifies the network interface name on which you want to capture the tcpdump packets. |
-n | Instructs the system to not perform reverse DNS resolution on IP addresses. |
-w <file_name> | Specifies the name of the PCAP file to which you want to write the network packets. |
-r <file_name> | Specifies the name of the PCAP file from which you want to read the contents. |
-s <bytes> | Specifies the snap length, which means the amount of data that you want the command to capture for each frame. |
-c <packets> | Limits the results to the specified number of packages. |
-p | Avoids the promiscuous mode for the interface. |
-v | Prints the verbose output. |
-e | Prints link-lavel header on every packet output line. |
Conclusion
In this tutorial, we learned how to use the tcpdump command to troubleshoot network connections, interfaces, and other packets. This command provides several options to extract specific data and filters to narrow down the search results. The examples covered in this tutorial will help you understand the command better. For more information about the tcpdump command syntax, options, and filters, refer to the tcpdump man page.
Comments