tcpdump is a UNIX utility (there is a clone for Windows) that allows us to capture network traffic and analyze it. This utility requires root privileges to run. Output data can be shown in the terminal or written to a file. tcpdump is a well known utility. This program allows us to set specific ports, IP addresses, packet type and filter them.
First, we need install tcpdump package. In Debian-based systems it can be done by the following command:
sudo apt install tcpdump
The simplest use of this utility with default parameters:
If we have several internet adapters or internet interfaces we can list them:
sudo tcpdump -D ... 1.enp4s0 [Up, Running] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback] 4.nflog (Linux netfilter log (NFLOG) interface) 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) 6.usbmon1 (USB bus number 1) 7.usbmon2 (USB bus number 2)
We can choose the name of the interface and display traffic on it. If “-i any” parameter is used, then traffic from all interfaces (which are listed with -D option) in the system will be displayed:
sudo tcpdump -i enp4s0 sudo tcpdump -i any
If we want to reduce information about packets, we can use -q (quiet) option. This will simplify output:
sudo tcpdump -q
If we need to collect a certain number of packets, we can pass it by -c parameter. The program finishes when packets are collected:
sudo tcpdump -c 100
By default, the size of analyzed packets is 68 bytes. We can use -s option to change this. If -s value is zero whole packet can be analyzed.
-X option allows us to see the contents of the package.
Use -XX option instead to see additional headers:
sudo tcpdump -X -s 500 sudo tcpdump -XX -s 0
Only large packets will be shown:
sudo tcpdump greater 1024
-n option converts the domain name of the host to an IP address (google.com -> xxx.xxx.xxx.xxx).
-nn option works like -n option but in addition converts the protocol name of the packets to a port number (https -> 443, http -> 80):
sudo tcpdump -n sudo tcpdump -nn
The information detalization level. How detailed will the packets information be:
sudo tcpdump -v sudo tcpdump -vv sudo tcpdump -vvv
Show packets of a specific protocol or communications network:
sudo tcpdump tcp sudo tcpdump udp sudo tcpdump icmp sudo tcpdump arp sudo tcpdump "tcp or udp" sudo tcpdump "broadcast or multicast"
Specify the port to show its packets. HTTPS connections use 443 port and HTTP connections use 80 port:
sudo tcpdump port 443 sudo tcpdump port 80
src option is used to capture packets which were received from host (e.g. google.com), dst option is used to capture packets which were sent to host:
sudo tcpdump src port 443 sudo tcpdump dst port 443
It is possible to specify a range of ports:
sudo tcpdump -n dst portrange 80-1080
We can specify a domain name to display only packets that are associated with it:
sudo tcpdump host ultra-technology.org sudo tcpdump host ultra-technology.org and cloudflare.com
Or exclude some domains names from output:
sudo tcpdump not host wikimedia.org sudo tcpdump host ultra-technology.org and not host google.com
Now use it with src and dst options:
sudo tcpdump src host ultra-technology.org sudo tcpdump dst host ultra-technology.org
Examples of definition hosts and ports together:
sudo tcpdump -n "dst host 192.168.1.1 and dst port 23" sudo tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
Read traffic from a specific subnet:
sudo tcpdump -n net 192.168.1.0/24
-w option allows to write output to a file, -r option allows to read this output:
sudo tcpdump -w dumpfile sudo tcpdump -r dumpfile
This can be used for detailed output:
sudo tcpdump -vvv -w dumpfile sudo tcpdump -vvv -r dumpfile