Linux / Networking

TCPdump – completely guide. How to use tcpdump.

Listing network interfaces in tcpdump:

In order to show a list of network interfaces used in the system, you must specify the -D parameter

tcpdump -D

Capturing packets from a specific network interface

By default, Tcpdump listens on the lowest numbered network interface in the list.

to listen on a specific network interface, you must use the -i option with the interface name as a parameter

For example, listening to all local (Loopback) traffic

tcpdump -i lo

Packet capture from all available interfaces

If it is necessary to capture traffic from all network interfaces, for example, if there are several network connections in the system, tcpdump provides a special “name” any for such cases

tcpdump -i any

Output of IP address, without conversion to DNS name

tcpdump -n

17:19:39.440334 IP 192.168.3.7.22 > 192.168.3.10.51092: Flags [.], ack 720, win 36, length 0

Customize output verbosity tcpdump

tcpdump -v
tcpdump -vv
tcpdump -vvvv

Capturing packets with a specific IP address or subnet tcpdump

Capturing packets from an IP address 8.8.8.8

tcpdump src 8.8.8.8

Packet capture, sourced from subnet 192.168.0.0/24

tcpdump src net 192.168.0.0/24

Packet capture with destination IP address 192.168.0.1

tcpdump dst 192.168.0.1

Capturing packets to the 192.168.10.0/24 subnet

tcpdump dst net 192.168.10.0/24

Capturing packets between two hosts or two subnets tcpdump

Capturing packets from 10.0.0.1 to 192.168.0.1

tcpdump src 10.0.0.1 and dst 192.168.0.1

Capturing packets from network 10.0.0.0/24 to subnet 192.168.0.0/24

tcpdump src net 10.0.0.0/24 and dst net 192.168.0.0/24

Capturing packets between 10.0.0.1 and 192.168.0.1 in both directions

tcpdump host 10.1.0.52 and host 192.168.10.52

Packet capture between two subnets 10.0.0.0/24 and 192.168.0.0/24 in both directions

tcpdump net 10.0.0.0/24 and net 192.168.0.0/24

Capturing packets from a specific network protocol

tcpdump allows you to capture network traffic of a specific network protocol. Known Layer 3 or Layer 4 protocols require their names to be specified.

Capture only IP packets

tcpdump ip

Capture only ICMP packets

tcpdump icmp

Capture only ARP packets

tcpdump arp

Capturing TCP packets

tcpdump tcp

Capturing UDP packets

tcpdump udp

Capture only TCP packets between 10.10.0.1 and 192.168.1.1 in both directions

tcpdump tcp and host 10.10.0.1 and host 192.168.1.1

Capturing packets from specific TCP/UDP ports

Capturing packets with destination port 80

tcpdump dst port 80

Capturing UDP packets from port 6000

tcpdump udp src port 6000

Capture DNS packets (source or destination port 53)

tcpdump port 53

Packet capture with 80 or 8080 ports

tcpdump port 80 or port 8080

Capture packets in the range of ports from 1000 to 10000

tcpdump portrange 1000-10000

Capturing packets other than a specific one

Exclude all SSH (port 22) packets with IP 192.168.0.100

tcpdump port not 22 and not host 192.168.0.100

Capturing packets with a specific MAC address

Capturing broadcast traffic (packets with destination MAC address ff:ff:ff:ff:ff:ff)

tcpdump ether dst ff:ff:ff:ff:ff:ff

Packet capture between 2f:c0:1b:21:4a:c4 and 7a:f4:2b:96:0b:41 in both directions

tcpdump ether host 2f:c0:1b:21:4a:c4 and ether host 7a:f4:2b:96:0b:41

Capture packets sent or received 2f:c0:1b:21:4a:c4

tcpdump ether host 2f:c0:1b:21:4a:c4

Saving captured packets to a file (pcap) tcpdump

Save first 1000 packets to save.pcap file:

tcpdump -c 1000 -w save.pcap

Reading a PCAP file

Reading TCP packets from a file

tcpdump -r save.pcap tcp

Rotate PCAP files every 30 minutes, with timestamps

tcpdump -w /tmp/save-%Y-%m-%d_%H-%M.pcap -G 1800

Capture packets with high precision timestamps

tcpdump --time-stamp-precision nano

Timestamp in date, hour, minute, second, and microsecond format

tcpdump -tttt

Capturing TCP SYN packets

tcpdump "tcp[tcpflags] & (tcp-syn) != 0"

Leave a Reply

Your email address will not be published. Required fields are marked *