Table of Contents

tcpdump - How to use tcpdump command in Linux with examples

dump traffic on a network



tcpdump Options

# man tcpdump

Options
-A     Print each packet (minus its link level header) in ASCII.  Handy for capturing web pages.

-i     Listen on interface.  If unspecified, tcpdump searches the system interface list for the lowest numbered,
       On  Linux  systems  with 2.2 or later kernels, an interface argument of ``any'' can be used to capture
       packets from all interfaces.

-r     Read packets from file

-w     Write the raw packets to file rather than parsing and printing them out.
-n     Don\'t convert host addresses to names.  This can be used to avoid DNS lookups.
-X     Print each packet (minus its link level header) in hex and ASCII.
-s     Snarf snaplen bytes of data from each packet rather than the default of 68 
       (with SunOS’s NIT, the minimum is actually 96).

       -D
       --list-interfaces
              Print the list of the network interfaces available on the system and on which tcpdump
              can  capture  packets.   For  each network interface, a number and an interface name,
              possibly followed by a text description of the interface, is printed.  The  interface
              name or the number can be supplied to the -i flag to specify an interface on which to
              capture.


Packet Capture Commands tcpdump Examples

tcpdump -i eth1   <-  eth0 is default interface. tcpdump searches the system interface list for the lowest numbered,
tcpdump -i any    <-  survey with all interfaces


tcpdump -n host 192.168.1.10
tcpdump -n -Xs 1000 dst host 192.168.1.10
tcpdump -n -Xs 1000 src host 192.168.1.10


not optin

tcpdump -n  not port 22
tcpdump -n  not arp and not port 22
tcpdump -n  not arp and not port 123 and not port 22
tcpdump -n  not host 192.168.100.10


Monitoring DNS Queries with tcpdump

tcpdump -n udp port 53 -i any  <- Check DNS
tcpdump -n port 53 -i any  <- Check DNS

tcpdump -vvv -s0 -l -n port 53
tcpdump -i eth0 -nxXs 1600 port 53

ss -anu


Display contents of the packet in ASCII with tcpdump

-A Print each packet (minus its link level header) in ASCII.

http

tcpdump -s0 -A dst port 80

FTP

tcpdump -A host 192.168.0.10 and \(port 20 or port 21\)

telnet

tcpdump -A host 192.168.0.10 and port 23


Acquisition method for analyzing tcpdump result with Wireshark and others

-w Write the raw packets to file rather than parsing and printing them out.

tcpdump -s 0 -n host 192.168.0.10 -w test.pcap
tcpdump -n host 192.168.0.10 and \(port 80 or port 443 \) -w test.pcap

tcpdump -n -Xs 1000 port 20 or port 21 or port 80 or port 443 -w test.cap


Read capture file

-r Read packets from file

tcpdump -r /tmp/20110615.pcap ← -r : Read packets from file