How to use the command 'tcpdump' (with examples)
Tcpdump is a powerful command-line packet analyzer tool used to capture network traffic on a network interface. It allows users to inspect the contents of network packets in real-time or read from existing packet capture files. This article will provide examples of various use cases of the tcpdump command.
Use case 1: List available network interfaces
Code:
tcpdump -D
Motivation: This use case is helpful when you need to list all the available network interfaces on your system. It provides you with a list of interface names that you can use to capture network traffic.
Explanation:
tcpdump
: The command itself.-D
: This option is used to list all the available network interfaces.
Example output:
1.eth0
2.lo
3.wlan0
Use case 2: Capture the traffic of a specific interface
Code:
tcpdump -i eth0
Motivation: When you need to capture network traffic from a specific network interface, this use case comes in handy. By specifying the interface name, you can narrow down the captured traffic to a specific interface.
Explanation:
tcpdump
: The command itself.-i eth0
: This option is used to capture the traffic of the ’eth0’ interface.
Example output:
...
Use case 3: Capture all TCP traffic showing contents (ASCII) in console
Code:
tcpdump -A tcp
Motivation: This use case is helpful when you want to analyze TCP traffic and inspect the content of each packet in ASCII format directly in the console.
Explanation:
tcpdump
: The command itself.-A
: This option is used to print out packet contents, including packet data, in ASCII format.tcp
: This filter is used to capture all TCP traffic.
Example output:
...
Use case 4: Capture the traffic from or to a host
Code:
tcpdump host www.example.com
Motivation: If you want to capture traffic specific to a certain host, this use case will allow you to filter out all the packets that originate from or are destined to that host.
Explanation:
tcpdump
: The command itself.host www.example.com
: This filter is used to capture traffic that either originates from or is destined to the specified host (‘www.example.com ’ in this case).
Example output:
...
Use case 5: Capture the traffic from a specific interface, source, destination, and destination port
Code:
tcpdump -i eth0 src 192.168.1.1 and dst 192.168.1.2 and dst port 80
Motivation: When you want to capture traffic that satisfies multiple conditions like source IP, destination IP, and destination port, this use case will allow you to filter the packets based on those conditions.
Explanation:
tcpdump
: The command itself.-i eth0
: This option is used to capture the traffic of the ’eth0’ interface.src 192.168.1.1
: This filter captures traffic with a source IP address of ‘192.168.1.1’.dst 192.168.1.2
: This filter captures traffic with a destination IP address of ‘192.168.1.2’.dst port 80
: This filter captures traffic with a destination port of ‘80’.
Example output:
...
Use case 6: Capture the traffic of a network
Code:
tcpdump net 192.168.1.0/24
Motivation: When you want to capture traffic from a specific network or subnet, this use case will enable you to capture packets that belong to that network.
Explanation:
tcpdump
: The command itself.net 192.168.1.0/24
: This filter captures traffic from the network ‘192.168.1.0/24’.
Example output:
...
Use case 7: Capture all traffic except traffic over port 22 and save to a dump file
Code:
tcpdump -w dumpfile.pcap port not 22
Motivation: This use case allows you to capture all network traffic except for traffic over a specific port (port 22 in this case). Additionally, it saves the captured traffic to a dump file for later analysis.
Explanation:
tcpdump
: The command itself.-w dumpfile.pcap
: This option is used to write the captured traffic to a file named ‘dumpfile.pcap’.port not 22
: This filter captures all traffic except the one over port 22.
Example output:
...
Use case 8: Read from a given dump file
Code:
tcpdump -r dumpfile.pcap
Motivation: When you want to analyze previously captured network traffic stored in a dump file, this use case allows you to read the packets and inspect their contents.
Explanation:
tcpdump
: The command itself.-r dumpfile.pcap
: This option allows tcpdump to read the captured packets from the specified file (‘dumpfile.pcap’).
Example output:
...
Conclusion
The tcpdump command is a versatile tool that allows you to capture and analyze network traffic on different levels of granularity. By utilizing various options and filters, you can extract valuable information from the captured packets, capture traffic from specific interfaces or hosts, and save the captured traffic for later analysis. Whether you’re troubleshooting network issues or conducting network security analysis, tcpdump proves to be a useful utility in your arsenal.