tcpdump command is used to dump traffic on a network, prints  out  a  description  of the contents of packets on a network interface that match the boolean expression(options)

tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save the packets that are captured. The saved file can be viewed by the same tcpdump command for future analysis. We can also use open source software like wireshark to read the tcpdump pcap files.

Here are ome practical examples on how to use the tcpdump command.

1. Capture all packets through all the interfaces.

#tcpdump 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
...

2. Capture packets from a particular ethernet interface, using tcpdump -i

 -i option with tcpdump command, allows you to filter on a particular ethernet interface.

#tcpdump -i vmnet8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535 bytes

3. Capture packets with IP address using tcpdump -n

The following example captures the packets and it will display the IP address of the machines involved.

$ tcpdump -n -i eth0
15:01:35.170763 IP 10.0.19.121.52497 > 192.168.1.1: P 105:157(52) ack 18060 win 16549
15:01:35.170776 IP 11.154.12.121.ssh > 10.0.9.121.52497: P 23988:24136(148) ack 157 win 113
15:01:35.170894 IP 11.154.12.121.ssh > 10.0.9.121.52497: P 24136:24380(244) ack 157 win 113

4. Capture packets flows on a particular port using tcpdump port

If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.

#tcpdump -i eth0 port 22 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:19:45.717834 IP fibrevillage.com.ssh > d64-180-172-246.bchsia.telus.net.49201: Flags [.], ack 3580300144, win 379, leng
th 0
23:19:45.719475 IP fibrevillage.com.ssh > d64-180-172-246.bchsia.telus.net.49201: ...

5. Capture packets for particular destination IP and Port

The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth0, with a particular destination ip and port number 22.

$ tcpdump -i eth0 dst fibrevillage.com and port 22

6. Capture TCP communication packets between two hosts

If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.

$tcpdump -i eth0 dst 192.168.0.1 and port 22

7. Receive only the packets of a specific protocol type

You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interface.

#tcpdump -i eth0 arp 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:29:30.380073 ARP, Request who-has 192.168.0.1 tell rout01.fibrevillage.com, length 46

8. tcpdump Filter Packets – Capture all the packets other than arp and rarp

In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.

#tcpdump -i eth0 not arp and not rarp 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:24:28.305837 IP fibrevillage.com.ssh > d64-180-172-246.bchsia.telus.net.49201: Flags [.], ack 3580666160, win 379, leng
th 0
...

9. Display Captured Packets in ASCII using tcpdump -A

The following tcpdump syntax prints the packet in ASCII.

$ tcpdump -A -i eth0

10. Display Captured Packets in HEX and ASCII using tcpdump -XX

Some users might want to analyse the packets in hex values. tcpdump provides a way to print packets in both ASCII and HEX format.

$tcpdump -XX -i eth0

11. Capture the packets and write into a file using tcpdump -w

tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.

$ tcpdump -w `date +%F`.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
32 packets captured
32 packets received by filter
0 packets dropped by kernel

-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol analyzer.

12. Reading the packets from a saved file using tcpdump -r

You can read the captured pcap file and view the packets for analysis, as shown below.

$tcpdump -tttt -r 2016-04-30.pcap

13. Capture packets with proper readable timestamp using tcpdump -tttt

$ tcpdump -n -tttt -i eth0

14. Read packets longer than N bytes

You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command

$ tcpdump -w g_1024.pcap greater 1024

15. Capture only N number of packets using tcpdump -c

When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.

$ tcpdump -c 2 -i eth0
...

The above tcpdump command captured only 2 packets from interface eth0.

16. Read packets lesser than N bytes

You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command

$ tcpdump -w 2016-04-30.pcap  less 1024