1. Overview

The tcpdump command is a Linux tool for capturing and analyzing network traffic on a system. System administrators primarily utilize this tool for network troubleshooting and security testing purposes. Moreover, the tcpdump command can intercept various packets, including UDP, ARP, ICMP, and TCP packets.

tcpdump also enables us to use filters and capture specific information on a network interface. In particular, we can save this information in a file that tcpdump and Wireshark can interpret.

In this tutorial, we’ll explore how to install the tcpdump command in various Linux distros. We’ll look at the options of the command. Finally, we’ll see how to use the tcpdump command through examples.

Notably, we’re going to run all the commands in this tutorial on Kali Linux. However, the same process applies to other Linux distributions as well.

2. Installing tcpdump on Major Linux Distros

While most Linux distributions come with the tcpdump package preinstalled, some don’t. Therefore, before using the tcpdump command, it’s essential to ensure that the necessary package is installed on the system.

Let’s install tcpdump using the apt command:

$ sudo apt install tcpdump

This command is specific to Debian-based Linux systems, such as Ubuntu, and will install the package and its dependencies after execution.

Additionally, we can use the dnf command to install tcpdump for systems running Fedora, CentOS, or Red Hat.

For example, let’s install tcpdump using the dnf command:

$ sudo dnf install tcpdump

Once the installation is complete, the screen displays a message indicating that the process has been completed successfully. This message includes information about the installed version of tcpdump.

3. Common tcpdump Command Options

The basic syntax and structure of the tcpdump command are straightforward:

$ tcpdump [options] [expression]

Let’s now understand what each of the components of the tcpdump command means:

  • [options]: these are the various flags or switches that affect the behavior of the command
  • [expression]: indicates the packets to be captured

Now, let’s explore common options that are available with the tcpdump command:

Options

Description

-i

Specifies the network interface to capture packets from

-n

Displays IP addresses and ports as numbers instead of resolving them to hostnames and service names

-c

Limits the number of packets to capture

-D

Lists available network interfaces that can be used with the -i option

-s

Sets the snapshot length (number of bytes to capture) for each packet

-vv

Increases the verbosity level of the output

-A

Prints each packet in ASCII

-w

Writes the captured packets to a specified file in pcap format

-r

Reads packets from a pcap format file for analysis

With these various options, we can customize the behavior of the tcpdump command to meet specific needs and efficiently analyze network traffic.

4. Common tcpdump Command Examples

Let’s dive into some practical examples of using the tcpdump command.

4.1. Capturing Packets on the Default Network Interface

To begin, let’s capture packets on the default network interface:

$ sudo tcpdump
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
25 packets captured
78 packets received by filter
38 packets dropped by kernel

The sudo command prompts us for a password to gain the necessary privileges for packet capture on the default network interface.

tcpdump starts monitoring network traffic on this interface. In particular, it provides detailed information about each captured packet, including timestamps, source and destination IP addresses, protocols, and packet lengths. To terminate the process, we use Ctrl+C, which sends a SIGINT interrupt signal.

4.2. Listing Available Interfaces

We can also use the tcpdump command with the -D option to list all available network interfaces in the system:

$ sudo tcpdump -D 
[sudo] password for kali: 
1.eth0 [Up, Running, Connected]
2.br-4aa4046238e5 [Up, Running, Connected]
...

In the output, each network interface is listed along with its corresponding status, indicating whether it’s up, running, and connected.

4.3. Capturing Packets From a Specific Network Interface

Furthermore, we can inspect packets from a specific network interface. We achieve this using the -i option followed by the interface name:

$ sudo tcpdump -i br-4aa4046238e5
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-4aa4046238e5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:27:11.764045 IP 172.19.0.3.http > 172.19.0.1.49192: Flags [F.], seq 4278354148, ack 2924049651, win 249, options [nop,nop,TS val 650697844 ecr 1251139840], length 0
...

Upon execution, tcpdump starts capturing packets exclusively from the specified interface. This enables us to focus our packet analysis efforts on a particular interface of interest.

4.4. Capturing a Specific Number of Packets

By default, tcpdump captures packets until we interrupt the command. However, we can use the -c option to capture a specific number of packets.

For example, let’s capture 5 packets going to and from the br-4aa4046238e5 interface:

$ sudo tcpdump -c 5 -i br-4aa4046238e5
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
...
5 packets captured
12 packets received by filter
0 packets dropped by kernel

This command instructs tcpdump to capture 5 packets going through the br-4aa4046238e5 interface. Upon execution, tcpdump starts capturing packets exclusively from this interface.

Once the specified number of packets is reached, it stops capturing data and displays relevant statistics. These statistics include the number of packets captured, received by the filter, and dropped by the kernel.

4.5. Printing Captured Packets in ASCII Format

To print captured packets in ASCII format, we can use the -A option with the tcpdump command. This option instructs tcpdump to display each packet in ASCII instead of the default hexadecimal format.

For example, let’s capture packets on the br-4aa4046238e5 interface and print them in ASCII format:

$ sudo tcpdump -A -i br-4aa4046238e5
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-4aa4046238e5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
12:01:18.873372 IP 172.19.0.1.46492 > 172.19.0.3.http: Flags [.], ack 640, win 249, options [nop,nop,TS val 1255064137 ecr 654620129], length 0
E..4.<@.@..]...........P.3L.{..6....XQ.....
J..I'...
...

Upon execution, tcpdump captures packets on the specified interface and prints them in ASCII format. Additionally, this allows for easier readability and analysis of the packet contents, especially when dealing with text-based protocols such as HTTP or SMTP.

4.6. Writing Packets to a File

To save captured packets to a file for later analysis, we can use the -w option with the tcpdump command. This option enables us to capture and save the packets to a pcap format file instead of printing them on stdout.

For example, let’s capture packets on the br-4aa4046238e5 interface and write them to a file named output.pcap:

$ sudo tcpdump -w output.pcap -i br-4aa4046238e5
[sudo] password for kali: 
tcpdump: listening on br-4aa4046238e5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...

Upon execution, tcpdump starts capturing packets on the specified interface and writes them to the output.pcap file in pcap format. This file can then be analyzed later using tcpdump itself or other packet analysis tools such as Wireshark.

4.7. Reading Packets From a File

Furthermore, we can read captured packets from a file using the -r option.

For example, let’s read the packets from a file called output.pcap:

$ sudo tcpdump -r output.pcap
reading from file output.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:08:54.335522 IP 172.19.0.1.56534 > 172.19.0.3.http: Flags [P.], seq 1638684988:1638685701, ack 3030472654, win 249, options [nop,nop,TS val 1255519599 ecr 655073589], length 713: HTTP: GET /sqleditor/status/4098671 HTTP/1.1
12:08:54.345624 IP 172.19.0.3.http > 172.19.0.1.56534: Flags [P.], seq 1:640, ack 713, win 249, options [nop,nop,TS val 655075601 ecr 1255519599], length 639: HTTP: HTTP/1.1 500 INTERNAL SERVER ERROR
...

The output displays the read packets from the output.pcap file.

4.8. Displaying IP Addresses Numerically

To show the IP addresses of captured packets numerically, we can utilize the -n option with the tcpdump command. This option instructs tcpdump not to convert host addresses to hostnames.

For instance, let’s capture packets on the br-4aa4046238e5 interface while displaying IP addresses without hostname resolution:

$ sudo tcpdump -n -i br-4aa4046238e5
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-4aa4046238e5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:30:19.875861 IP 172.19.0.1.56774 > 172.19.0.3.80: Flags [P.], seq 928160091:928160804, ack 1793898192, win 249, options [nop,nop,TS val 1258929700 ecr 658483712], length 713: HTTP: GET /sqleditor/status/4098671 HTTP/1.1
17:30:19.880217 IP 172.19.0.3.80 > 172.19.0.1.56774: Flags [P.], seq 1:640, ack 713, win 249, options [nop,nop,TS val 658485697 ecr 1258929700], length 639: HTTP: HTTP/1.1 500 INTERNAL SERVER ERROR
...

In this case, the output shows that tcpdump prints the IP addresses and ports in a numerical format without attempting to resolve them to hostnames and service names, respectively.

5. Conclusion

In this article, we’ve explored the fundamentals of the tcpdump command, from its installation to common options and practical usage examples.

Furthermore, by mastering tcpdump, we can effectively analyze network traffic, troubleshoot connectivity issues, and enhance security measures on Linux systems.