Tcpdump

The tcpdump is designed to intercepts network traffic, providing administrators with a look at what kind of information flows through the existing connections.

Before starting any capture, we need to know which interfaces tcpdump can use. We will need to use sudo or have root access in this case.

# tcpdump -D

  1 eth0
  2 nflog
  3 nfqueue
  4 usbmon1
  5 any
  6 lo (Loopback)

If we want to capture traffic on interface eth0, we can initiate that with tcpdump -i eth0:

# tcpdump -i eth0 
# tcpdump -i eth0 -c 10

Capture traffic to and from one host

We can filter out traffic coming from a specific host. For example, to find traffic coming from and going to 8.8.8.8, we can use the command:

# tcpdump -i eth0 -c 10 host 8.8.8.8

Traffic coming from 8.8.8.8 (src):

# tcpdump -i eth0 src host 8.8.8.8

Outbound traffic going to 8.8.8.8 (dst):

# tcpdump -i eth0 dst host 8.8.8.8

Capture traffic to and from a network

We can also capture traffic to and from a specific network interface using the command below:

# tcpdump -i eth0 net 10.1.0.0/24

We can also filter based on the source (traffic coming from):

# tcpdump -i eth0 src net 10.1.0.0/24

We can also filter based on the destination (traffic going to):

# tcpdump -i eth0 dst net 10.1.0.0/24

Capture traffic to and from port numbers

Capture only DNS port 53 traffic:

# tcpdump -i eth0 port 53

Specific host and port:

# tcpdump -i eth0 host 8.8.8.8 and port 53

To capture only HTTPS traffic:

# tcpdump -i eth0 -c 10 host www.google.com and port 443

To capture all port except port 80 and 25:

# tcpdump -i eth0 port not 53 and not 25

Save packets to a file

use the option -w:

# sudo tcpdump -i any -c 10 -nn -w file_namepcap port 443

More options

  • -X : Show the packet’s contents in both hex and ASCII.
  • -XX : Same as -X, but also shows the ethernet header.
  • -D : Show the list of available interfaces
  • -l : Line-readable output.
  • -q : less verbose with your output.
  • -t : Give human-readable timestamp output.
  • -tttt : Give maximally human-readable timestamp output.
  • -i eth0 : Listen on the eth0 interface.
  • -vv : Verbose output.
  • -c : Only get x number of packets and then stop.
  • -s : Define the snaplength (size) of the capture in bytes.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.
networktcpdumplinux

I hope this post was helpful to you.

Leave a reaction if you liked this post!