Using tcpdump to capture and analyze packets from Internet traffic

tcpdump is a UNIX utility (there is a clone for Windows) that allows us to capture network traffic and analyze it. This utility requires root privileges to run. Output data can be shown in the terminal or written to a file. tcpdump is a well known utility. This program allows us to set specific ports, IP addresses, packet type and filter them.

First, we need install tcpdump package. In Debian-based systems it can be done by the following command:

sudo apt install tcpdump

The simplest use of this utility with default parameters:

sudo tcpdump

If we have several internet adapters or internet interfaces we can list them:

sudo tcpdump -D
...
1.enp4s0 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.usbmon1 (USB bus number 1)
7.usbmon2 (USB bus number 2)

We can choose the name of the interface and display traffic on it. If “-i any” parameter is used, then traffic from all interfaces (which are listed with -D option) in the system will be displayed:

sudo tcpdump -i enp4s0
sudo tcpdump -i any

If we want to reduce information about packets, we can use -q (quiet) option. This will simplify output:

sudo tcpdump -q

If we need to collect a certain number of packets, we can pass it by -c parameter. The program finishes when packets are collected:

sudo tcpdump -c 100

By default, the size of analyzed packets is 68 bytes. We can use -s option to change this. If -s value is zero whole packet can be analyzed.

-X option allows us to see the contents of the package.

Use -XX option instead to see additional headers:

sudo tcpdump -X -s 500
sudo tcpdump -XX -s 0

Only large packets will be shown:

sudo tcpdump greater 1024

-n option converts the domain name of the host to an IP address (google.com -> xxx.xxx.xxx.xxx).

-nn option works like -n option but in addition converts the protocol name of the packets to a port number (https -> 443, http -> 80):

sudo tcpdump -n
sudo tcpdump -nn

The information detalization level. How detailed will the packets information be:

sudo tcpdump -v
sudo tcpdump -vv
sudo tcpdump -vvv

Show packets of a specific protocol or communications network:

sudo tcpdump tcp
sudo tcpdump udp
sudo tcpdump icmp
sudo tcpdump arp
sudo tcpdump "tcp or udp"
sudo tcpdump "broadcast or multicast"

Specify the port to show its packets. HTTPS connections use 443 port and HTTP connections use 80 port:

sudo tcpdump port 443
sudo tcpdump port 80

src option is used to capture packets which were received from host (e.g. google.com), dst option is used to capture packets which were sent to host:

sudo tcpdump src port 443
sudo tcpdump dst port 443

It is possible to specify a range of ports:

sudo tcpdump -n dst portrange 80-1080

We can specify a domain name to display only packets that are associated with it:

sudo tcpdump host ultra-technology.org
sudo tcpdump host ultra-technology.org and cloudflare.com

Or exclude some domains names from output:

sudo tcpdump not host wikimedia.org
sudo tcpdump host ultra-technology.org and not host google.com

Now use it with src and dst options:

sudo tcpdump src host ultra-technology.org
sudo tcpdump dst host ultra-technology.org

Examples of definition hosts and ports together:


sudo tcpdump -n "dst host 192.168.1.1 and dst port 23"
sudo tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Read traffic from a specific subnet:

sudo tcpdump -n net 192.168.1.0/24

-w option allows to write output to a file, -r option allows to read this output:

sudo tcpdump -w dumpfile
sudo tcpdump -r dumpfile

This can be used for detailed output:

sudo tcpdump -vvv -w dumpfile
sudo tcpdump -vvv -r dumpfile

Leave a Reply

Your email address will not be published.