Linux TPCDump Package Analyzer
Tcpdump command is a network packet analyzing tool that is used to display TCP\IP and other network packets being transmitted over a network. Tcpdump uses libpcap library to capture the network packets. It is available on almost all Linux/Unix flavors.
Tcpdump command can read the contents from a network interface or from a previously created packet file, or we can also write the packets to a file to be used for later.
One must use the tcpdump command as root or as a user with sudo privileges.
By default, tcpdump is available on almost all Linux distributions but if that’s not the case for you, install it on your system using the following method.
Install tcpdump on CentOS and RHEL using the following command ,
sudo yum install tcpdump
On Fedora, install tcpdump using the following command,
dnf install tcpdump
On Ubuntu or Debian or Linux Mint, install tcpdump using the following command,
apt-get install tcpdump
Get packets from all interfaces
To get the network packets from all network interfaces, run the following command,
tcpdump -i any
Get packets from a single interfaces
To get the network packets from a single interface, use
tcpdump -i eth0
Writing captured packets to file
To write all the captured packets to a file, use the ‘-w’ option,
tcpdump -i eth1 -w packets_file
Reading an old tcpdump file
To read an already created, old tcpdump file, use the following command,
tcpdump -r packets_file
Getting more packets information with readable timestamps
To get more information regarding the packets along with readable timestamp, use
Check packets of whole network
To get the packets for whole network, execute the following command from terminal
tcpdump net 192.168.1.0/24
Check packets based on IP address
Get all the packets based on the IP address, whether source or destination or both, using the following command,
tcpdump host 192.168.1.100
To get packets based on source or destination of an IP address, use
tcpdump src 192.168.1.100 tcpdump dst 192.168.1.100
Check packets for a protocol or port number
To check all the packets used based on the protocol, run the following command
To get packets for a single port, or for a range of ports use
tcpdump port 22 tcpdump portrange 22-125
We can also use ‘src’ and ‘dst’ options to get packets for ports based on source & destination.
We can also combine two conditions with AND (and , && ), OR ( or. || ) and EXCEPT (not , ! ). This helps when we have analyzed network packets based on the same conditions.
We can use ‘and’ or symbol ‘&&’ to combine two conditions or mote with tcpdump. An example would be,
tcpdump src 192.168.1.100 && port 22 -w ssh_packets
OR will check the command against one the mentioned conditions in the command, like
tcpdump src 192.168.1.100 or dst 192.168.1.50 && port 22 -w ssh_packets tcpdump port 443 or 80 -w http_packets
EXCEPT will be used when we want not fulfill a condition, like
tcpdump -i eth0 src port not 22
This will monitor all the traffic on eth0 but will not capture port 22.
This was our tutorial on how to install and use tcpdump command to capture the network packets. Please feel free to send in any queries or suggestions using the comment box below.