Linux tcpdump command

Filed Under: UNIX/Linux
Linux Tcpdump Command (1)

tcpdump is a command-line utility which allows us to capture and analyze network traffic going through our system. Depending on the filtering options, we can use this tool to effectively help troubleshoot any kind of network issues. It is a very commonly used tool by sysadmin engineers for these features.

In this tutorial, we shall analyze some of the ways of using tcpdump, but not all. This is because there are simply way too many filtering options involved in this command, and it is not possible to cover all of them. We shall only look at some of the commonly used options here. You can find the rest on the man page.


Installing tcpdump command

You can check if your system has the tcpdump command, by typing

tcpdump --version

If the output shows that it is not installed, you can directly get it using your system’s package manager.

NOTE: Since we will be capturing packets, we need elevated permissions. (sudo is required). We will be prefixing all tcpdump commands with sudo as a result.


List interfaces for packet capture

Before actively capturing packets, we shall look at the available interfaces fortcpdump.

We can list interfaces using the -D (Display) option.

sudo tcpdump -D
Tcpdump List Interfaces
Tcpdump List Interfaces

You will get a list of all available interfaces on your machine. This will depend from system to system, so mine has some other interfaces like Docker, since the Docker service is running, apart from typical network interfaces.

The special interface any allows capturing in any active interface.

Now that we know the available interfaces on our machine, let’s start capturing packets!


Capture Packets using tcpdump

Capture all packets in any interface by running this command:

sudo tcpdump -i any

This will specify the interface to be any, the special interface mentioned earlier.

tcpdump continues to capture packets until it receives an interrupt signal. You can interrupt capturing by pressing Ctrl+C.

The Output will list all packet captures until the interrupt signal was received to terminate tcpdump.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:49:32.841984 IP 111.11.111.11.vultr.com.ssh > 123.45.678.90.48006: Flags [P.], seq 4132693749:4132693857, ack 3344962610, win 1002, options [nop,nop,TS val 135269404 ecr 1623818400], length 108
10:49:32.842057 IP 111.11.111.11.vultr.com.ssh > 123.45.678.90.48006: Flags [P.], seq 108:144, ack 1, win 1002, options [nop,nop,TS val 135269404 ecr 1623818400], length 36
10:49:32.842101 IP 111.11.111.11.vultr.com.ssh > 123.45.678.90.48006: Flags [P.], seq 144:260, ack 1, win 1002, options [nop,nop,TS val 135269404 ecr 1623818400], length 116
10:49:32.842135 IP 111.11.111.11.vultr.com.ssh > 123.45.678.90.48006: Flags [P.], seq 260:296, ack 1, win 1002, options [nop,nop,TS val 135269404 ecr 1623818400], length 36
...
...
^C
264 packets captured
361 packets received by filter
91 packets dropped by kernel

As you can observe, tcpdump had captured 264 packets. For example, since I am connected to this server using ssh, tcpdump captured all these packets.

Limit number of Packet captures

To limit the number of packets captured and stop tcpdump, use the -c (capture limit) option:

sudo tcpdump -i any -c 2

This will cause tcpdump command to stop capturing automatically after 2 packets. We won’t necessarily need to use the interrupt signal to terminate it manually in this case.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:57:31.284198 IP 111.11.111.11.vultr.com.ssh > 123.45.678.90.48006: Flags [P.], seq 4132754245:4132754353, ack 3344963698, win 1002, options [nop,nop,TS val 135747845 ecr 1624296856], length 108
10:57:31.284275 IP 111.11.111.11.vultr.com.ssh > 123.45.678.90.48006: Flags [P.], seq 108:144, ack 1, win 1002, options [nop,nop,TS val 135747845 ecr 1624296856], length 36
2 packets captured
16 packets received by filter
8 packets dropped by kernel

This option can be quite useful in monitoring network connections for troubleshooting any problem, if there are network issues.


Disable name and port resolution

By default, tcpdump command resolves IP addresses and ports into names (such as vultr.com.ssh, which does the name resolution from the IP addresses and ports).

When troubleshooting network issues, it is often easier to use the IP addresses and port numbers; We can disable name resolution by using the option -n and port resolution with -nn.

sudo tcpdump -i any -c 2 -nn

The above command captures 2 packets on any interface, while disabling port resolution.

So the output will now stop any name resolution, and simply return the IP addresses and port numbers.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:00:36.459922 IP 111.11.111.11.22 > 123.45.678.90.48006: Flags [P.], seq 4132755513:4132755621, ack 3344963838, win 1002, options [nop,nop,TS val 135933020 ecr 1624482048], length 108
11:00:36.459982 IP 111.11.111.11.22 > 123.45.678.90.48006: Flags [P.], seq 108:144, ack 1, win 1002, options [nop,nop,TS val 135933020 ecr 1624482048], length 36
2 packets captured
8 packets received by filter
0 packets dropped by kernel

Here, let us examine a line of the output.

11:00:36.459922 IP 111.11.111.11.22 > 123.45.678.90.48006: Flags [P.], seq 4132755513:4132755621, ack 3344963838, win 1002, options [nop,nop,TS val 135933020 ecr 1624482048], length 108

This is a typical TCP packet capture. Other protocol packets and formats can be referred to in the tcpdump command manual page.

The first field, 11:00:36.459922, represents the timestamp of the received packet as per the local clock.

Next, IP represents the network layer protocol—in this case, IPv4. For IPv6 packets, the value is IP6.

The next field, 111.11.111.11.22, is the source IP address and port. This is followed by the destination IP address and port, represented by 123.45.678.90.48006.

Now that we know how the basic output format is, let us analyze some filtering options for tcpdump


Filtering Packets

One of tcpdump command’s most powerful features is its ability to filter the captured packets using a variety of parameters, such as source and destination IP addresses, ports, protocols, etc. Let’s look at some of the most common ones.

Filter based on Protocol

To filter packets based on protocol, we need to specify the protocol in the command.

To capture ICMP packets only, we can filter based on ICMP protocol.

sudo tcpdump -i any -c 5 icmp

Since the ping command uses ICMP packets, we can analyze incoming packets due to ping from another machine.

Let’s ping our current machine and capture the incoming ping packets.

Open a terminal session on another machine, and type

ping IP_ADDRESS_MACHINE_1

Now, in our tcpdump terminal session, we can now see that it captures those ICMP ping reply packets.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:18:47.947475 IP 123.45.678.90 > 111.11.111.11.vultr.com: ICMP echo request, id 6068, seq 1, length 64
11:18:47.947554 IP 111.11.111.11.vultr.com > 123.45.678.90: ICMP echo reply, id 6068, seq 1, length 64
11:18:48.947669 IP 123.45.678.90 > 111.11.111.11.vultr.com: ICMP echo request, id 6068, seq 2, length 64
11:18:48.947752 IP 111.11.111.11.vultr.com > 123.45.678.90: ICMP echo reply, id 6068, seq 2, length 64
11:18:49.947853 IP 123.45.678.90 > 111.11.111.11.vultr.com: ICMP echo request, id 6068, seq 3, length 64
5 packets captured
6 packets received by filter
0 packets dropped by kernel

Here, 123.45.678.90 is the IP Address of the machine (Machine 2) which sends ping to our tcpdump system, and 111.11.111.11 is the IP Address of the packet filtering machine (Machine 1).

Since I was using ssh to send the ping requests, there is a domain resolution (but no name resolution) to vultr.com.

Filter based on Host

To limit capture to only packets related to a specific host, we can use the host filter

sudo tcpdump -i any -c5 -nn host 192.168.1.2

In this example, tcpdump captures and displays only packets to and from host 192.168.1.2.

Filter based on Port

To filter packets based on the desired service or port, use the port filter. For example, capture packets related to an ssh session by using this command (port 22 filtering):

sudo tcpdump -i any -c5 -nn port 22

Filter based on Source IP/hostname

You can also filter packets based on the source or destination IP Address or hostname. For example, to capture packets from host 192.168.1.2

sudo tcpdump -i any -c 5 -nn src 192.168.1.2

We can use dst to filter by destination IP/hostname also.

sudo tcpdump -i any -c 5 -nn src 172.168.1.2

Save Packet captures

We can save the results of the packet captures into a file for analysis later.

To save packets to a file instead of displaying them on screen, use the option -w:

sudo tcpdump -i any -c 5 -nn -w sample.pcap port 22

This command saves the output in a file named sample.pcap. The .pcap the extension stands for “packet capture” and is the convention for this file format.


Conclusion

In this tutorial, we learned how we could perform packet capturing and filtering based on different options, using the tcpdump command.


Leave a Reply

Your email address will not be published. Required fields are marked *

close
Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages