tcpdump is designed to intercepts network traffic, providing administrators with a look at what kind of information flows through the existing connections.
Before starting any capture, we need to know which interfaces
tcpdump can use. We will need to use sudo or have root access in this case.
# tcpdump -D 1 eth0 2 nflog 3 nfqueue 4 usbmon1 5 any 6 lo (Loopback)
If we want to capture traffic on interface eth0, we can initiate that with
tcpdump -i eth0:
# tcpdump -i eth0 # tcpdump -i eth0 -c 10
Capture traffic to and from one host
We can filter out traffic coming from a specific host. For example, to find traffic coming from and going to
126.96.36.199, we can use the command:
# tcpdump -i eth0 -c 10 host 188.8.131.52
Traffic coming from 184.108.40.206 (src):
# tcpdump -i eth0 src host 220.127.116.11
Outbound traffic going to 18.104.22.168 (dst):
# tcpdump -i eth0 dst host 22.214.171.124
Capture traffic to and from a network
We can also capture traffic to and from a specific network interface using the command below:
# tcpdump -i eth0 net 10.1.0.0/24
We can also filter based on the source (traffic coming from):
# tcpdump -i eth0 src net 10.1.0.0/24
We can also filter based on the destination (traffic going to):
# tcpdump -i eth0 dst net 10.1.0.0/24
Capture traffic to and from port numbers
# tcpdump -i eth0 port 53
Specific host and port:
# tcpdump -i eth0 host 126.96.36.199 and port 53
To capture only
# tcpdump -i eth0 -c 10 host www.google.com and port 443
To capture all port except port
# tcpdump -i eth0 port not 53 and not 25
Save packets to a file
use the option
# sudo tcpdump -i any -c 10 -nn -w file_namepcap port 443
-X: Show the packet’s contents in both hex and ASCII.
-XX: Same as
-X, but also shows the ethernet header.
-D: Show the list of available interfaces
-l: Line-readable output.
-q: less verbose with your output.
-t: Give human-readable timestamp output.
-tttt: Give maximally human-readable timestamp output.
-i eth0: Listen on the eth0 interface.
-vv: Verbose output.
-c: Only get x number of packets and then stop.
-s: Define the snaplength (size) of the capture in bytes.
-S: Print absolute sequence numbers.
-e: Get the ethernet header as well.
-q: Show less protocol information.
-E: Decrypt IPSEC traffic by providing an encryption key.
I hope this post was helpful to you.
Leave a reaction if you liked this post!