tcpdump is a packet analyzer in Linux that allows you to intercept network packets and log them or display them on the screen. This tool is used for advanced network troubleshooting and enables you to examine network data in the raw form.
Used without any options, tcpdump will capture all the packets flowing through all the interfaces on the system:
You can specify a particular ethernet interface using the -i option:
Once it’s run, tcpdump begins printing lines, one for each packet it intercepts. These lines include a time stamp, the protocol of the packet (IP in all of these examples), the source system name or IP address and port, the destination system name or IP address and port, and packet-specific information. tcpdump keeps running until your terminate it by pressing Ctrl+C.
Consider the following line:
Here is a description of each field:
- 20:38:29.014324 – the time stamp.
- IP – the protocol of the packet.
- text-lb.esams.wikimedia.org.http – the source system name (text-lb.esams.wikimedia.org) and port (http = port 80).
- 192.168.198.128.54543 – the destination system IP address (192.168.198.128) and port (54543).
- ack 2 win 64239 – packet-specific information.
To display packets in ASCII (useful for capturing web pages), use the -A option:
To capture all packets arriving at or departing from the host with the IP address of 192.168.198.2, we can use the following command:
To capture only the packets of a specific protocol type, you need to specify the protocol (for example, IP, IP6, ARP, TCP or UDP). For example, to capture only the TCP traffic, use the following command:
To capture packets to and from a particular port, use the port option:
To capture packets with readable timestamp, use the -tttt option:
To save the captured packets to a file, use the -w option:
To read a tcpdump file, use the -r option: