Lesson 91: tcpdump Command
In this lesson, you'll learn how to use the tcpdump command to capture and analyze network packets in Linux.
tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface.
tcpdump is readily available across a wide range of Linux/Unix-based operating systems. Furthermore, it offers the invaluable option to save captured packets in a file for future analysis.
It saves the file in a pcap format, that can be viewed by the tcpdump command or an open-source GUI-based tool called Wireshark (Network Protocol Analyzer) that reads tcpdump pcap format files.
Install tcpdump in Linux
Many Linux distributions already ship with the tcpdump tool. If in case you don't have it on your system, you can install it using either of the following commands.
$ sudo apt install tcpdump # Debian, Ubuntu and Mint
$ sudo yum install tcpdump # RHEL/CentOS/Fedora and Rocky/AlmaLinux
$ sudo emerge -a sys-apps/tcpdump # Gentoo Linux
$ sudo apk add tcpdump # Alpine Linux
$ sudo pacman -S tcpdump # Arch Linux
$ sudo zypper install tcpdump # OpenSUSE
tcpdump Command Syntax
# tcpdump [OPTIONS] [FILTER EXPRESSION]
tcpdump Command Options
| Option | Description |
|---|---|
-i IFACE |
Capture packets from a specific interface |
-c N |
Capture only N number of packets |
-A |
Display captured packets in ASCII format |
-D |
Display all available network interfaces |
-XX |
Display captured packets in HEX and ASCII format |
-w FILE |
Save captured packets to a file in pcap format |
-r FILE |
Read and analyze a previously saved pcap file |
-n |
Capture IP address packets (disable hostname resolution) |
-v or -vv |
Enable verbose or more verbose output |
tcp |
Capture only TCP packets |
port N |
Capture packets on a specific port |
src IP |
Capture packets from a specific source IP |
dst IP |
Capture packets to a specific destination IP |
Once the tcpdump tool is installed on your system, you can continue to browse the following commands with their examples.
1. Capture Packets from a Specific Interface
The command screen will scroll up until you interrupt. When we execute the tcpdump command it will capture from all the interfaces.
However with the -i switch, it only captures from the desired interface.
# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:33:31.976358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500440357:3500440553, ack 3652628334, win 18760, length 196
11:33:31.976603 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64487, length 0
11:33:31.977243 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28
11:33:31.977359 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46
11:33:31.977367 IP 172.16.25.126.54807 > tecmint.com: 4240+ PTR? 125.25.16.172.in-addr.arpa. (44)
11:33:31.977599 IP tecmint.com > 172.16.25.126.54807: 4240 NXDomain 0/1/0 (121)
11:33:31.977742 IP 172.16.25.126.44519 > tecmint.com: 40988+ PTR? 126.25.16.172.in-addr.arpa. (44)
11:33:32.028747 IP 172.16.20.33.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:33:32.112045 IP 172.16.21.153.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:33:32.115606 IP 172.16.21.144.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
11:33:32.156576 ARP, Request who-has 172.16.16.37 tell old-oraclehp1.midcorp.mid-day.com, length 46
11:33:32.348738 IP tecmint.com > 172.16.25.126.44519: 40988 NXDomain 0/1/0 (121)