Situatie
The tcpdump
command can be used to capture network traffic on a Linux system. It’s a versatile command line utility that network administrators often rely on for troubleshooting.
What you’ll come to find is that the amount of networking traffic captured on an interface can be easily overwhelming. tcmpdump
makes our job a little easier by allowing us to isolate only the traffic we’re interested in. Of course, in order to do this, you need to be familiar with the various flags and settings that go along with the command.
Solutie
Install tcpdump on major Linux distros
There’s a good chance that your Linux distro already has tcpdump
installed by default, especially if you’re running a distro geared towards servers. Just in case it’s not already installed, you can use the appropriate command below to install it through your system’s package manager.
To install tcpdump on Ubuntu, Debian, and Linux Mint:
$ sudo apt install tcpdump
To install tcpdump on CentOS, Fedora, AlmaLinux, and Red Hat:
$ sudo dnf install tcpdump
To install tcpdump on Arch Linux and Manjaro:
$ sudo pacman -S tcpdump
tcpdump command examples
All of your
tcpdump
commands must be executed with the root user account or with sudo
. The utility requires administrator privileges in order to run.The most simple form of the command is to use the utility with no extra options, like this:
# tcpdump
If you don’t specify which network interface you’d like to capture traffic from, like in the above command, then tcpdump
will choose an interface for you.
It will continue “dumping” the captured traffic to your terminal until you interrupt the command. The easiest way to do this is with Ctrl + c
.
If you have more than one network interface, then it’ll be best to specify which interface you’re trying to capture traffic on, since tcpdump
may not choose the one you want by default. Use the -D
option to print a list of network interfaces that tcpdump
can use.
# tcpdump -D 1.enp0s3 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.bluetooth-monitor (Bluetooth Linux Monitor) [none] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
We have a few different interfaces that we can use. Alternatively, we have the any
option available that will let us capture traffic on all network interfaces simultaneously. If we want to capture network traffic on the enp0s3
interface, we would use the following command syntax.
# tcpdump -i enp0s3
You can use the -v
option to increase the verbosity of the output, or -vv
and -vvv
to increase it even further.
# tcpdump -i enp0s3 -vv
If you don’t want tcpdump
to endlessly output data to your terminal, you can use the -c
option to specify how many packets you’d like the utility to capture. tcpdump
will quit executing the command after the threshold has been reached, rather than waiting for you to interrupt. The following command will allow us to capture only the first 15 packets.
# tcpdump -c 15
If you don’t want tcpdump
to perform DNS resolution on the network addresses in the output, you can use the -n
option in your command. This will display all network addresses as IP addresses, rather than resolving them to domain names.
# tcpdump -n
If you would rather save the network traffic output to file, instead of having it listed on your screen, you can always redirect the tcpdump
output with the usual >
and >>
operators.
# tcpdump > traffic.txt
Another option is to write the network capture to file. These files usually have the .pcap
file extension, and can’t be read by an ordinary text editor.
# tcpdump -n -w traffic.pcap
To open the file for later analysis, use the -r
option and the name of your file.
# tcpdump -r traffic.pcap
Interpret tcpdump command output
Each packet that tcpdump
captures is written as an individual line. One of those lines will look something like this:
14:21:46.134249 IP 10.0.2.15.54000 > 104.16.168.35.443: Flags [.], ack 2915, win 63000, length 0
Here’s how to interpret that line of data:
14:21:46.134249
– Timestamp of when the packet was captured.IP 10.0.2.15.54000
– IP and port number of the source host.104.16.168.35.443
– IP and port number of the destination host.Flags [.]
– TCP flags (SYN, ACK, PSH, etc).[.]
means ACK.ack 2915
– The acknowledgment number.win 63000
– The window number (bytes in receiving buffer).length 0
– The length of the payload data.
Filter tcpdump traffic
One of the best features of tcpdump
is that we can filter out exactly the traffic we want to see. Without filtering out traffic by adapter (as seen above), port number, and packet protocol, the amount of captured traffic can quickly become overwhelming and nearly impossible to sift through.
Despite the name tcpdump
, we can use the tool to filter out all kinds of traffic, not just TCP. For example, use the following syntax to filter out traffic that uses UDP.
# tcpdump -n udp
Or the following example that filters out ICMP:
# tcpdump -n icmp
You can also use the corresponding protocol number to filter out a specific protocol. For example, ICMP is protocol number 1, so the following syntax will do the same as the previous example.
# tcpdump -n proto 1
To see a full list of networking protocols and their corresponding numbers, check out the list of IP protocol numbers on Wikipedia.
To filter traffic with a specific destination or source IP address, we can use the host
qualifer with the -n
option. For example, to filter traffic related to the host at IP address 10.10.150.20
:
# tcpdump -n host 10.10.150.20
Alternatively, use the net
qualifer if you want to filter out traffic to or from an entire network. For example, the following command will filter traffic related to the 192.168.1.0/24
network.
# tcpdump -n net 192.168.1
Use the port
and portrange
qualifiers to filter out packets related to a specific port or port range, respectively. For example, the following command will filter our traffic related to port 80 (HTTP).
# tcpdump -n port 80
Or, to filter traffic from ports 20-30, the following command would be used.
# tcpdump -n portrange 20-30
Add the dst
, src
, src and dst
, and src or dst
qualifiers if you want to filter based on the source and/or destination address or port of the packets. For example, the following command will filter out packets that have a source IP address of 10.10.150.20
.
# tcpdump -n src host 10.10.150.20
Or in this example, we filter out packets that are destined for the SSH port (port 22).
# tcpdump -n dst port 22
Combining filters
We can combine these various filters covered above by using the and
(&&
), or
(||
), and not
(!
) operators in our tcpdump
command.
For example, the following command will capture traffic that’s destined for 10.10.150.20
on port 80 (HTTP).
# tcpdump -n dst host 10.10.150.20 and tcp port 80
Or create even more granular filters by further combining rules inside parentheses. For example, this command will do the same as the previous, but also capture port 443 (HTTPS).
# tcpdump -n 'dst host 10.10.150.20 and (tcp port 80 or tcp port 443)'
The command can get rather complex and accept very granular input, which allows us to filter out the exact traffic we want to see.
Leave A Comment?