Linux tcpdump Command with Examples

Featured Image - Linux tcpdump Command with Examples

A network comprises different types of traffic, including legitimate and malicious traffic. A network can also have various types of issues. To handle the network traffic-related issues, we can use the tcpdump command.

The tcpdump tool can capture traffic from various protocols, such as TCP, UDP, ARP, and ICMP. It can help us monitor, capture, and analyze network traffic. It can help us filter the traffic, which helps to speed up the traffic analysis.

It can help to determine the type of traffic floating on a network and help us determine the source of the problem that may have occurred.

Some other activities that we can perform are:

  • Capture network packets from a specific network interface
  • Capture all or a specific number of packets
  • View all network interfaces on a system
  • Save packets into a .pcap file for later review
  • Read the .pcap file
  • Capture packets for a specific protocol, such as TCP

In this tutorial, we will learn to use the tcpdump command through examples and beginner friendly explanations.

Recommended Resource: For an easy and interactive way to build PCap commands online, visit tcpdump101.com. It makes it easy to build commands by providing a simple GUI from which you select the options you want, and you’ll have the full command displayed in the top bar.

using tcpdump101 to build PCap commands

Using the tcpdump Command

The tcpdump command is used in the Linux and UNIX environments. In several distributions, we need to install tcpdump. In other distributions like Ubuntu, it is available by default.

You can verify its existence by executing the command to check the version:

tcpdump --version

The output displays the version of the tcpdump command. If this command exists in the Linux system, it will display the version. If it does not, then there is a command not found error. However, we get version 4.9.3, which means that it is installed by default.

Text Description automatically generated

Capture Network Packets from a Specific Network Interface

If you do not specify an interface, the tcpdump command, by default, will capture packets using all available network interfaces. However, we will specify the network interface with the -i parameter.

tcpdump -i enp0s3

Notice that there is an error. You are using a non-administrative account. To execute the tcpdump command, we must have administrative privileges or use the sudo command.

Text Description automatically generated

Let’s now try it with the sudo command.

sudo tcpdump -i enp0s3

If we have used the sudo command in the last 15 minutes, we will not be prompted with the password to execute the sudo command. After we have executed the command, the packet capture starts immediately.

Text Description automatically generated

For the time being, we can terminate the tcpdump command by pressing Ctrl + C command. Notice that there were 28 packets captured.

Text Description automatically generated

Capture all or Specific Number of Packets

By default, if we use a specific network interface, the tcpdump command will start capturing packets, which will continue until you manually terminate it. An alternate method is to capture only a limited number of packets. For example, we want to capture the 10 packets and then terminate the command automatically. We can specify the number of packets with the -c parameter. To do this, let’s enter the following command:

sudo tcpdump -c 10 -i enp0s3

The tcpdump command starts, captures 10 packets, and then terminates automatically.

Text Description automatically generated

View all Network Interfaces on a System

A system can have several interfaces listed with the -D parameter.

tcpdump -D

Notice that the tcpdump command lists all the available interfaces. The output also includes enp0s3 and lo interfaces.

Text Description automatically generated

Save Packets into a .pcap File for Later Review

The tcpdump command captures packets in real-time. However, it may always be not possible to review or analyze the packets in real-time. You can capture the packets into a file and save the file for review later to solve this problem. To save the packets in a file, we need to use the -w parameter.

sudo tcpdump -w byte.pcap -i enp0s3

Notice that the packet capturing is not being displayed on the screen.

Text Description automatically generated

For the time being, we can terminate the tcpdump command by pressing Ctrl + C command. Notice that there were 57 packets captured.

Text Description automatically generated

Read the .pcap file

After we have saved the packet capture in the byte.pcap file, we can now access it for reading. To do this, we need to use the -r parameter. Enter the following command:

sudo tcpdump -r byte.pcap

Notice that we did not specify the interface this time because we are reading the contents from a file.

A screenshot of a computer Description automatically generated with medium confidence

Capture Packets for a Specific Protocol, such as TCP

By default, tcpdump will capture all types of packets. However, we can filter the packet capture to a specific protocol. For example, we can filter and capture only the TCP packets. We need to use the interface and specify the protocol name, TCP.

Let’s try capturing the ICMP packets. We will open a new terminal window and ping Google’s DNS server, 8.8.8.8. Then, we will capture the same packets using tcpdump.

Open a new terminal window and enter the following ping command:

ping 8.8.8.8

Notice that the ping command starts.

Text Description automatically generated

Let’s switch over to the previous terminal window and execute the following command:

sudo tcpdump -i enp0s3 icmp

Notice that the packet capture for ICMP starts.

Graphical user interface, text Description automatically generated

The packet capture for ICMP will continue as long as we keep the ping running. When we switch over to the terminal window with the ping command, we press Ctrl + C to terminate it. The moment we terminate it and switch to the previous terminal window, we will see the tcpdump command in a pause mode. It is expecting more ICMP traffic, which is no longer there.

A screenshot of a computer Description automatically generated with medium confidence

There are various other parameters that you can use with the tcpdump command. For example, you can use the port parameter to capture port-specific traffic. You need to provide the port number as an argument. You can also capture the traffic from a source IP address by using the src parameter and the IP address. It will capture all traffic generated from the source IP address. Similarly, you can also capture the traffic meant for a specific destination by using the dst parameter. You need to pass the destination IP address to the dst parameter as an argument.

To get more information on tcpdump, we can always get help by using the -h parameter in the following manner:

tcpdump -h

The output displays the list of parameters that can be used with the tcpdump command.

Text Description automatically generated

Conclusion

Well done. Hopefully, this tutorial helped you learn to use the tcpdump command. If you encountered any issues, please feel free to leave a comment, and we’ll get back to we as soon as we can.

0 Shares:
Subscribe
Notify of
guest
Receive notifications when your comment receives a reply. (Optional)
Your username will link to your website. (Optional)

0 Comments
Inline Feedbacks
View all comments
You May Also Like
Usermod Command in Linux
Read More

Usermod Command in Linux

The usermod command allows us to modify an existing user account. With the usermod command, we can make…
Bash Compare Strings
Read More

Bash Compare Strings

Similar to other programming languages, strings in bash is the datatype that holds a sequence of characters. In…