tcpdump is a network packet sniffer that can capture and filter various types of traffic, including TCP, UDP, and ICMP. It is a widely used command-line tool for network monitoring and debugging, and is installed by default on many Unix/Linux distributions.
With tcpdump, you can capture live traffic and save it to a file for future analysis. The captured data is saved in pcap format, which can be read by tcpdump itself or GUI tools like Wireshark.
Tcpdump is commonly used for system security checking, penetration testing, network troubleshooting, and more. In short, it is a Swiss army knife for system administrators, network engineers, and security professionals.
This guide will provide you with the basics and practical examples of the tcpdump command.
tcpdump command:
It is recommended to run the tcpdump command with root user privileges. The tcpdump command will continue to run until you press Ctrl+C to terminate it.
The following is the tcpdump command syntax in short:
tcpdump [options] [expression]
When you run tcpdump with no filters, it will show you all the packets flowing through the default interface.
tcpdump
You can list all the interfaces of your server by running the following command:
or
Output:
1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.lo [Up, Running, Loopback]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]
5.bluetooth-monitor (Bluetooth Linux Monitor) [none]
6.nflog (Linux netfilter log (NFLOG) interface) [none]
7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
You can capture all packets from all interfaces by using any interface:
For better understanding, You should use the interface name using the -i option:
For more detailed output, you can use the -v or -vv options:
You can limit the tcpdump command output using the below command:
By default, tcpdump does the DNS resolution. You can disable name resolution by using the option -n and port resolution with -nn:
This option is very useful while troubleshooting network issues.
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:56:10.085238 IP 172.18.1.48.22 > 172.18.1.250.59860: Flags [P.], seq 475071168:475071392, ack 2781200040, win 501, length 224
14:56:10.085526 IP 172.18.1.48.22 > 172.18.1.250.59860: Flags [P.], seq 224:416, ack 1, win 501, length 192
14:56:10.085631 IP 172.18.1.48.22 > 172.18.1.250.59860: Flags [P.], seq 416:576, ack 1, win 501, length 160
14:56:10.085760 IP 172.18.1.48.22 > 172.18.1.250.59860: Flags [P.], seq 576:736, ack 1, win 501, length 160
14:56:10.085860 IP 172.18.1.48.22 > 172.18.1.250.59860: Flags [P.], seq 736:896, ack 1, win 501, length 160
5 packets captured
5 packets received by filter
0 packets dropped by kernel
You can capture packets with properly readable timestamps using the tcpdump -tttt option:
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
2022-03-27 15:20:25.081838 IP 172.18.1.48.22 > 172.18.1.250.50472: Flags [P.], seq 3309433839:3309434063, ack 2385369981, win 501, length 224
2022-03-27 15:20:25.082165 IP 172.18.1.48.22 > 172.18.1.250.50472: Flags [P.], seq 224:432, ack 1, win 501, length 208
2022-03-27 15:20:25.082350 IP 172.18.1.48.22 > 172.18.1.250.50472: Flags [P.], seq 432:608, ack 1, win 501, length 176
3 packets captured
3 packets received by filter
0 packets dropped by kernel
2: Understanding the output format
tcpdump prints output in one line for each packet. Its syntax looks like this:
[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]
When you type the tcpdump command, you will get output as shown in the below example:
18:13:17.425434 IP app.4436 > 157.32.66.94.45896: Flags [P.], seq 696:749, ack 632, win 3372, options [nop,nop,TS val 2489039195 ecr 16819361], length 53
where:
- 18:13:17.425434 - It is the timestamp of the captured packet as per the system timezone.
- IP - protocol
- app.4436 - hostname or IP with port number, separated by a dot (.).
- 157.35.66.94.45896 - destination hostname or IP and port number, separated by a dot (.).
- Flags [P.] - It is TCP Flags. It shows the state of the connection. In this example, [P.] means Push Acknowledgment packet.
- Flag has other field values like:
[.] - ACK (Acknowledgment)
[S] - SYN (Start Connection)
[P] - PSH (Push Data)
[F] - FIN (Finish Connection)
[R] - RST (Reset Connection)
[S.] - SYN-ACK (SynAcK Packet)
- seq: 696:749 - Sequence numbers
- ack 632 - It shows Acknowledgment number
- win 3372 - It means the number of available bytes in the receiving buffer.
- options [nop,nop,TS val 2489039195 ecr 16819361] - TCP options.
- length 53 - The length of the data payload.
3. tcpdump Filters
Using tcpdump Filters, you can find exactly what you are looking for. For example, when troubleshooting issues related to an FTP server, you can use filters to get only FTP traffic. Filters give you a clear idea of what exactly is going on on your server. The most used tcpdump filters are: port, protocol, host, src, dst, tcp, udp, icmp.
3.1 Port filter
You can filter packets using a service name or port with the port filter. For example, you want to capture packets related to the SSH service:
Output:
12:12:59.283525 IP 139.59.3.60.22 > 182.77.112.118.62155: Flags [P.], seq 857071566:857071754, ack 3442378916, win 501, options [nop,nop,TS val 2380853868 ecr 2857908344], length 188
12:12:59.283669 IP 139.59.3.60.22 > 182.77.112.118.62155: Flags [P.], seq 188:408, ack 1, win 501, options [nop,nop,TS val 2380853868 ecr 2857908344], length 220
12:12:59.283698 IP 139.59.3.60.22 > 182.77.112.118.62155: Flags [P.], seq 408:612, ack 1, win 501, options [nop,nop,TS val 2380853868 ecr 2857908344], length 204
12:12:59.283724 IP 139.59.3.60.22 > 182.77.112.118.62155: Flags [P.], seq 612:816, ack 1, win 501, options [nop,nop,TS val 2380853868 ecr 2857908344], length 204
12:12:59.283748 IP 139.59.3.60.22 > 182.77.112.118.62155: Flags [P.], seq 816:1020, ack 1, win 501, options [nop,nop,TS val 2380853868 ecr 2857908344], length 204
5 packets captured
6 packets received by filter
0 packets dropped by kernel
You can also capture packets between port ranges as shown below:
Occasionally, you may want to capture all the packages, EXCEPT some specific port. For example, you would like to monitor all the traffic on the server but do not want to capture the port 22:
Alternatively, you can find DNS traffic using the port number, as shown in the below example:
To find FTP traffic by name, execute the below command on your FTP server:
3.2 Protocol filter
Using protocol with the tcpdump command, you can only get packets related to a specific protocol. For example, if you want to capture only ICMP packets, then run the following command on your server:
Next, ping your server from another system:
ping example.com
You will see the below output on your server:
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
12:22:39.353266 IP 192.168.1.52 > 192.168.1.52: ICMP echo request, id 4, seq 18, length 64
12:22:39.353292 IP 192.168.1.52 > 192.168.1.52: ICMP echo reply, id 4, seq 18, length 64
12:22:40.377322 IP 192.168.1.52 > 192.168.1.52: ICMP echo request, id 4, seq 19, length 64
12:22:40.377347 IP 192.168.1.52 > 192.168.1.52: ICMP echo reply, id 4, seq 19, length 64
3.3 Host filter
To filter traffic for a specific host, you can use host filter along with the tcpdump command:
3.4 Combine filters
You can combine filters using the and (&&), or (||), and not (!) operators.
The below example shows your destination with a port filter. It captures traffic from 192.168.1.66 on port 80 or on port 443:
4. Tcpdump Examples:
So far, you have seen how to use the tcpdump command at a basic level. Now let's see some practical and useful tcpdump commands:
4.1. Capture All incoming HTTP GET traffic requests
The above command will give GET traffic requests. Here 0x47455420 is the ASCII value for GET request.
Output:
11:22:29.789727 IP 172.77.112.118.62461 > 139.65.3.60.19999: Flags [P.], seq 1724:2155, ack 2149, win 501, options [nop,nop,TS val 1165783811 ecr 2464213374], length 431
E.....@.8..-.Mpv.;.<..N.._.=...............
E|s....~GET /api/v1/alarms?active&_=1648528027188 HTTP/1.1
Host: 139.65.3.60:19999
Connection: keep-alive
Accept: */*
Pragma: no-cache
Cache-Control: no-cache, no-store
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Referer: http://139.65.3.60:19999/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,gu;q=0.8
4.2. Capture All incoming HTTP POST requests:
Same as above command. You can find post requests by executing the following command:
Output
:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
11:30:55.534062 IP app.53364 > 169.252.159.254.http: Flags [P.], seq 1904543180:1904544302, ack 3887682708, win 502, options [nop,nop,TS val 2447752694 ecr 3070714564], length 1122: HTTP: POST /v1/metrics/droplet_id/238459262 HTTP/1.1
E.....@.@.o%.;.<.....t.Pq.....T............
......b.POST /v1/metrics/droplet_id/238459262 HTTP/1.1
Host: 169.252.159.254
User-Agent: do-agent-3.13.0
Content-Length: 848
Content-Type: application/timeseries-binary-0
X-Auth-Key: 21705a51d80d4b87883dbce1f90b742ffd53847d0bfbe38b
Accept-Encoding: gzip
Connection: close
....sNaPpY.B...~....,..sonar_disk...cards_completed_total.device.vda.:.....@.memory./...1D.B.6$.(swap_cached.).....@.6*. available.........B.6(..R ........B'.)Pnetwork_receive_bytes...eth1.8.$C../B..98cpu.mode.system.' ..(\O!.@0.'.d=?0_time_seconds..fA..?.B.file d._size.2./dev/vda1.fstype.ext4.mountpoint./.......i_SB..Q.load.. .z..G..?%....8sectors_written.s6...V...A.T..5.p )\...(.?..TM.F......B.6%..free.H....*.AQK5s.irq.....Q!.$.soft.(.{...T.@..o.(.teal.J.&...@2..!..e... ...Qhp.@,.f%N.@.;...<.YA..>%.5V.
..p=
.?..-VE..f:6.....B-.F...die..ed5.i.f...".?.Q..readV4.....^A+.4..,..... ..A(.=q..transmitB...01....J...>B.:.U. .. ..D.B$.tpdiagnostic.error.flush failur2....@`@..6UD.n.....q=
...}@2..!..B...j.t..K@J..%.-......O-CB..xbuild_info.revision.72c8c9b.ver...3.13.=g....u....id......i.~rAB...user.@...l.yB.A.}....5...:F}..iowait.\,.........J.@
4.3. Capture HTTP traffic including request and response headers and message body on port 443:
Next, you can get the User Agent and the Host by combining the egrep command with tcpdump command as shown in the below command:
4.4. Capture HTTP request URL:
You can capture all the HTTP request URLs by running the following command:
4.5. Capture Cookies:
To capture cookies from the server and client, you can execute the below command:
4.6. Capture the packets to the file:
Using the tcpdump command, you can save packets to a file, and later you can read the same file for further analysis. The file extension should be .pcap.
4.7. Read the packet file:
You can read the .pcap file using the tcpdump command itself or a GUI tool like Wireshark. Execute the below command to read the file:
4.8. Capture packets using cronjob:
You can use tcpdump with a cron job to capture packets automatically. Let's assume that your web server is experiencing high usage and there is some unknown activity occurring every day at midnight. In such cases, you can set up the tcpdump command in the crontab for further analysis, as shown below
This guide has covered the basics of the tcpdump command. Every system administrator should be familiar with its usage when dealing with network-related issues or monitoring packages traveling over the internet.