tcpdump command

tcpdump is a packet analyzer in Linux that allows you to intercept network packets and log them or display them on the screen. This tool is used for advanced network troubleshooting and enables you to examine network data in the raw form.

Used without any options, tcpdump will capture all the packets flowing through all the interfaces on the system:

linux tcpdump command

You can specify a particular ethernet interface using the -i option:

linux tcpdump interface

Once it’s run, tcpdump begins printing lines, one for each packet it intercepts. These lines include a time stamp, the protocol of the packet (IP in all of these examples), the source system name or IP address and port, the destination system name or IP address and port, and packet-specific information. tcpdump keeps running until your terminate it by pressing Ctrl+C.

Consider the following line:

linux tcpdump example line

Here is a description of each field:

  • 20:38:29.014324 – the time stamp.
  • IP – the protocol of the packet.
  • text-lb.esams.wikimedia.org.http – the source system name (text-lb.esams.wikimedia.org) and port (http = port 80).
  • 192.168.198.128.54543 – the destination system IP address (192.168.198.128) and port (54543).
  • ack 2 win 64239 – packet-specific information.

To display packets in ASCII (useful for capturing web pages), use the -A option:

linux tcpdump ascii

To capture all packets arriving at or departing from the host with the IP address of 192.168.198.2, we can use the following command:

linux tcpdump host

To capture only the packets of a specific protocol type, you need to specify the protocol (for example, IP, IP6, ARP, TCP or UDP). For example, to capture only the TCP traffic, use the following command:

linux tcpdump tcp

To capture packets to and from a particular port, use the port option:

linux tcpdump port

To capture packets with readable timestamp, use the -tttt option:

linux tcpdump timestamp

To save the captured packets to a file, use the -w option:

linux tcpdump file

To read a tcpdump file, use the -r option:

linux tcpdump read file

You can also open the captured file in other network protocol analyzers, such as Wireshark.
Geek University 2022