Tcpdump
The tcpdump
is designed to intercepts network traffic, providing administrators with a look at what kind of information flows through the existing connections.
Before starting any capture, we need to know which interfaces tcpdump
can use. We will need to use sudo or have root access in this case.
# tcpdump -D
1 eth0
2 nflog
3 nfqueue
4 usbmon1
5 any
6 lo (Loopback)
If we want to capture traffic on interface eth0, we can initiate that with tcpdump -i eth0
:
# tcpdump -i eth0
# tcpdump -i eth0 -c 10
Capture traffic to and from one host
We can filter out traffic coming from a specific host. For example, to find traffic coming from and going to 8.8.8.8
, we can use the command:
# tcpdump -i eth0 -c 10 host 8.8.8.8
Traffic coming from 8.8.8.8 (src):
# tcpdump -i eth0 src host 8.8.8.8
Outbound traffic going to 8.8.8.8 (dst):
# tcpdump -i eth0 dst host 8.8.8.8
Capture traffic to and from a network
We can also capture traffic to and from a specific network interface using the command below:
# tcpdump -i eth0 net 10.1.0.0/24
We can also filter based on the source (traffic coming from):
# tcpdump -i eth0 src net 10.1.0.0/24
We can also filter based on the destination (traffic going to):
# tcpdump -i eth0 dst net 10.1.0.0/24
Capture traffic to and from port numbers
Capture only DNS
port 53
traffic:
# tcpdump -i eth0 port 53
Specific host and port:
# tcpdump -i eth0 host 8.8.8.8 and port 53
To capture only HTTPS
traffic:
# tcpdump -i eth0 -c 10 host www.google.com and port 443
To capture all port except port 80
and 25
:
# tcpdump -i eth0 port not 53 and not 25
Save packets to a file
use the option -w
:
# sudo tcpdump -i any -c 10 -nn -w file_namepcap port 443
More options
-X
: Show the packet’s contents in both hex and ASCII.-XX
: Same as-X
, but also shows the ethernet header.-D
: Show the list of available interfaces-l
: Line-readable output.-q
: less verbose with your output.-t
: Give human-readable timestamp output.-tttt
: Give maximally human-readable timestamp output.-i eth0
: Listen on the eth0 interface.-vv
: Verbose output.-c
: Only get x number of packets and then stop.-s
: Define the snaplength (size) of the capture in bytes.-S
: Print absolute sequence numbers.-e
: Get the ethernet header as well.-q
: Show less protocol information.-E
: Decrypt IPSEC traffic by providing an encryption key.