The tcpdump is a command line packet analyzer that allows you to capture and display the contents (header) of packets on the network interface. It is commonly used to troubleshoot network-related issues, monitor network traffic, and conduct network forensics.
Here we focus on:
- Understanding tcpdump output format
- Examples of using tcpdump filter for various scenarios.
tcpdump generally comes preinstalled in all popular Linux Distributions. It relies on the libpcap library to capture live network data.
Install tcpdump along with libpcap (comes as dependency package):
sudo apt install tcpdump ##Debian/Ubuntu sudo yum install tcpdump ##Redhat sudo dnf install tcpdump ##Fedora sudo pacman -S tcpdump ##Arch Linux
Default tcpdump starts capturing packets from the first available interface.
If you're unsure which interface tcpdump would use by default on your system, you can run:
1.eth0 [Up, Running, Connected] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback] 4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 7.dbus-system (D-Bus system bus) [none] 8.dbus-session (D-Bus session bus) [none]
This command lists all available interfaces. The first one in the list is typically the default interface.
The most common use case would specific interface using -i option:
sudo tcpdump -i eth0
To capture packets from all interfaces use
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 22:13:25.684876 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 3482678743:3482678871, ack 725448014, win 501, length 128 22:13:25.684928 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 128:192, ack 1, win 501, length 64 22:13:25.684965 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 192:272, ack 1, win 501, length 80 22:13:25.684995 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 272:352, ack 1, win 501, length 80 22:13:25.685020 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 352:432, ack 1, win 501, length 80
To stop capturing, simply press CTRL +C.
You can use -c option to limit the number of packets:
sudo tcpdump -i enp0s3 -c 10
This captures 10 packets and then stops.
Interpret Output Format
Following is a sample single-line output from tcpdump looks like. Based the filter there might be some difference, but the general format is this.
22:13:25.684928 IP 173-230-141-50.ip.linodeusercontent.com.ssh > n58-108-68-190.meb1.vic.optusnet.com.au.63751: Flags [P.], seq 128:192, ack 1, win 501, length 64
let's break down the provided tcpdump output:
22:13:25.684928: This is the timestamp of when the packet was captured. The format is
IP: This is the protocol of the packet, in this case, IPv4.
173-230-141-59.ip.linodeusercontent.com.ssh: This is the source address, which has been resolved to a DNS name. The
.ssh indicates that the source port is 22, which is the standard port for SSH (Secure Shell).
>: This indicates the direction of the packet, going from source to destination.
n58-108-68-190.meb1.vic.optusnet.com.au.63751: This is the destination address (again resolved to a DNS name). The
.63751 indicates the destination port number, which is an ephemeral (random high number) port
- The flags field provides information about the TCP flags set in the packet.
- P: Indicates that this is a packet with the "Push" flag set, meaning the receiver should pass this data to the application as soon as possible.
- .: The dot indicates that the ACK (Acknowledgment) flag is also set, meaning this packet is also acknowledging received data.
seq 128:192: This refers to the sequence numbers for the TCP segment. This particular segment is sending bytes 128 through 191 (so 192 is the next expected byte).
ack 1: This indicates the acknowledgment number. It means that the sender of this packet is expecting the next byte from the other side to be byte number 1.
win 501: This is the window size, which informs the recipient of the packet how many bytes the sender can accept in the next return segments before requiring an acknowledgment. In this case, it can accept up to 501 bytes.
length 64: This indicates the data length of the TCP segment, which in this case, is 64 bytes.
The general TCP flag and its respective letters are:
- S (SYN): Initiate a new connection.
- A (ACK): Acknowledge receipt of a packet.
- F (FIN): Finish; signal the end of a session.
- R (RST): Reset the connection.
- P (PSH): Push the buffered data to the receiving application immediately.
- U (URG): Data in the packet is urgent.
Here are some more detailed examples of using tcpdump for various scenarios.
1. Capture without DNS Resolution
Use -nn to avoid converting host addresses and port to to their respective names.
sudo tcpdump -nn
This makes the output quicker and easier for scripts as it avoids DNS resolution.
2. Display captured packet in ASCII
Use -A option to print packet content in ASCII. It is useful especially to examine the human-readable text content of the packet.
sudo tcpdump -A
3. Capture packets of a specific protocol
For example lets capture packets only for ICMP
sudo tcpdump icmp
4. Capture packets based on source, destination and port
sudo tcpdump -i eth0 src 192.168.1.10 and dst 192.168.1.2 and dst port 80
This starts capturing packets originating from
192.168.1.10, destined for
192.168.1.2, and targeting port
Note: You can use
not operator to exclude traffic for specified criteria.
5. Capture specific network traffic
sudo tcpdump net 10.0.2.0/25
This capture packets involving the IP network range
6. More detailed the output
Use 3 v to get maximum verbosity for detailed output:
sudo tcpdump -vvv
7. Capture packets based on packet size
greater qualifiers to filter packets based on their size.
sudo tcpdump less 64 ##captures packets that are smaller than 64 bytes sudo tcpdump greater 1000 ###captures packets larger than 1000 bytes.
8. Filter packets based on specific TCP flags
This filters out only TCP SYN packets:
sudo tcpdump 'tcp & 2 != 0'
To filter out only TCP ACK packets:
sudo tcpdump 'tcp & 16 != 0'
The values (e.g., 2, 16) are the respective positions of these flags in the TCP header.
9. Filter packets based on specific TTL
sudo tcpdump -v 'ip = 64'
ip: This denotes the 9th byte in the IP header (considering that the index starts at 0). The 9th byte of the IP header corresponds to the Time To Live (TTL) value for the packet.
= 64: This checks if the TTL value is set to 64.
10. Save packets to a file for later inspect
Use -w option to save raw packets to a file instead of displaying on the screen.
sudo tcpdump -i any -w /path/to/outputfile.pcap
You can use tcpdump to read the from the file using -r option. Other packet analysis tools like Wireshark can also read pcap
sudo tcpdump -r /path/to/outputfile.pcap
Instead of reading from from interface tcpdump read from the specified file.
For an exhaustive list and details, refer to the tcpdump man page by typing
man tcpdump in the terminal.