The tcpdump command or tool is used to analyze network packets on Linux systems. It provides the ability to parse, filter and display network packets and protocols in different ways. The tcpdump is created in 1988 for BSD systems and ported most of the Unix, Linux operating systems and became very popular. The tcpdump is an alternative tool for Wireshark where tcpdump can be used without a GUI or desktop environment via the command-line interface.
The tcpdump command may not be installed by default in some Linux distributions. But it is provided by most of the Linux distributions via package managers
yum . We can install the tcpdump on Ubuntu, Debian, Mint, Kali, CentOS, RHEL, Fedora, etc. like below.
Install tcpdump On Ubuntu, Debian, Mint, Kali:
$ sudo apt install tcpdump
Install tcpdump On CentOS, RHEL, Fedora:
$ sudo dnf install tcpdump
Run tcpdump and Display All Traffic
The tcpdump command access the operating system level functions which require administrative root privileges. So the tcpdump command can not be run and executed as a regular user unless root privileges are provided. If we try to run tcpdump with regular user privileges we will get an error like “tcpdump: ens33: You don’t have permission to capture on that device (socket: Operation not permitted)“
We should run the tcpdump with root privileges where the sudo command can be used. the current user should be access to the sudo command.
$ sudo tcpdump
Alternatively, we can the first login as root user and then run the tcpdump command without any extra sudo command.
$ su -
Now we assume we are login as root user and try to run tcpdump command now and during this tutorial.
Filter Specific Network Interface Traffic
A system may have single or more network interfaces. Generally extra psedeu interfaces are created for virtual and auxiliary systems. By default, tcpdump command finds a network interface that has the default gateway and listens to this network interface. But we can also specify the network interface we want to listen to. First we can list the existing network interfaces with the option
-D like below.
$ tcpdump -D
1.ens33 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.docker0 [Up] 5.bluetooth-monitor (Bluetooth Linux Monitor) [none] 6.nflog (Linux netfilter log (NFLOG) interface) [none] 7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 8.dbus-system (D-Bus system bus) [none] 9.dbus-session (D-Bus session bus) [none] 10.bluetooth0 (Bluetooth adapter number 0) [none]
We can see that all interfaces are listed with an ID number and some basic information about their status. We can use these ID numbers or interface names in order to listen to the specific network interfaces. In the following example, we use the network interface name to listen to it with the tcpdump command.
$ tcpdump -i ens33
Alternatively, we can specify the network interface ID number which is displayed while listing network interfaces.
$ tcpdump -i 1
Filter Packets By Specific Host Traffic
Typical network traffic occurs between two hosts generally called client and server. The tcpdump can be used to filter network traffic filtering by the host which can be the client or server part. The
host option is used to filter network traffic according to the host. the host generally identified with its IP address.
$ tcpdump host 192.168.1.10
Filter Packets By Specific Source Host
The network traffic can be filtered according to the source host IP address. The network packets which are created by the source host is filtered with the
src option and IP address of the source host.
$ tcpdump src 192.168.1.10
Filter Packets By Specific DestinationTraffic
The network traffic can be filtered according to the destination host IP address. The network packets which are destinated to the destination host is filtered with the
dst option and IP address of the destination host.
$ tcpdump dst 192.168.1.1
Filter Packets By Specific Source Port
The tcpdump command can be used to filter packets according to their source and destination port numbers. The
port option is used to filter packets for their destination and source ports in TCP protocol.
$ tcpdump port 443
Filter Packets By Specific Destination Port
The network traffic command can be filtered according to the TCP protocol destination port. The
dst port option is used to specify the destination port we want to filter.
$ tcpdump dst port 443
Filter Packets By Specific Source Port
Even it is not so popular as a destination port we can filter network TCP traffic according to the source port number. The
src port option is used to filter network traffic according to the source port number.
$ tcpdump src port 21
Filter Packets By Port Range
Network traffic can be also filtered according to the port range where a range of ports can be specified to filter. The
portrange option is used to filter packets according to the specified port range where the start and end port numbers are provided by separating them with dash
$ tcpdump portrange 20-30
Filter Packets By Specific Network
Another useful option is filtering the network traffic according to the network IP address. All traffic sourced or destined with the specified network range is displayed and other networks related traffic is filtered. The
net option is used to specify the network IP address range.
$ tcpdump net 192.168.1.0/24
Display Packet Contents As Hex (Hexadecimal) Output
The tcpdump only displays basic information about the IP packets like source-destination IP address, port number, etc. But we can also display the packet contents in hexadecimal or hex format. The -X is used to display the content output as hexadecimal.
$ tcpdump -X
Filter Packets By Protocol
The tcpdump supports a wide range of network protocols like TCP, UDP, HTTP, FTP, IP, ICMP, ETHERNET, etc. We can use the tcpdump in order to filter network traffic according to the protocol. Only specified protocol packets are displayed. Just provide the protocol name to the tcpdump protocol as a parameter.
$ tcpdump icmp
Show Only IPv4 Traffic
IP protocol has two versions named IPv4 and IPv6. The IPv4 is the most popular protocol and defacto protocol for the internet. We can filter the network traffic for the IPv4 protocol like below.
$ tcpdump ip
show Only IPv6 Traffic
Even it is not so popular IPv6 protocol is getting more popular. The IPv6 traffic can be filtered and displayed with the tcpdump like below.
$ tcpdump ip6
Show Only TCP Traffic
The TCP protocol is the most popular transmission protocol used by a lot of different applications layer protocols. We can filter the TCP protocol like below.
$ tcpdump tcp
Show Only UDP Traffic
Another protocol-based filtering is UDP protocol filtering which can be accomplished like below.
$ tcpdump udp
Filter Packets By Packet Size
Every network packet takes some bandwidth which is also called packet size. We can use the tcpdump command to filter packets according to their sizes.
lessoption is used to filter packets with less sizes then the specified size value. Alternatively the
<sign can be also used.
greateroption is used to filter packets with greater sizes then the specified size value. Alternatively the
>sign can be also used.
$ tcpdump less 512
Read PCAP File
The tcpdump is generally used to sniff and analyze live network traffic from the network interfaces. But it can also read a PCAP file that contains network traffic as a capture or dump file. The
-r option is used to read a capture or pcap file with its file name.
$ tcpdump -r mycapture.pcap
Write/Dump To PCAP File
The tcpdump command can be dump or store or save the captured network traffic into a file. This file is generally called a PCAP file. The
-w option is used with the dump file name.
$ tcpdump -w mycapture.pcap