Tcpdump is one of the most popular text-based network monitoring tools in Linux. The tool is specifically used for filtering the TCP/IP packets over a network. You can use this tool to filter the transferred and received TCP/IP packets over a network of a specific network interface. Tcpdmp is a text-based packet analyzer tool alternative to Wiresark.
Due to its popularity, nearly all Linux distros have included Tcpcump in their repository package but it might not installed by default. Don’t worry, installing Tcpdump in your system is easy. Debian-based distro users can install the tool using apt tool while Fedora-based distro users can use yum to install Tcpdump. Before getting started to analyze packects using Tcpdump you need to have a root privilege.
One of advantages of using Tcpdump is that you can save the captured packets in a file for an advanced analysis.
Some people say that curiosity is the key to become a smart person like Bill Gates. You can read the manual page of Tcpdump by typing man tcpdump in the terminal to get more detailed information about the tool.
This article will show you the top 8 examples use of Tcpdump.
Install Tcpdump
Before being able to use the tool obviously you need to install it first in your system. As mentioned earlier, Fedora (and other Red Hat-based distros) can use yum to install Tcpdump while Debian-based distro users can use apt.
#yum install tcpdump
#apt-get install tcpdump
1. Display available network interfaces in the system
The important thing you have to know before capturing TCP/IP packets using Tcpdump is understanding the available network interfaces in your system. Unlike other options, you don’t have to be root to do this. You can use the -D option to display the list of available interfaces in your Linux system.
$tcpdump -D
2. Capture packets from specific interface
Once get the information about the available network interfaces in your system you can start analyzing the TCP/IP traffics of a specific interface using the -i option. This options requires a root privilege.
#tcpdump -i wlp2s0
3. Print captured packets in ASCII
ASCII is a popular character encoding standard which is used by most modern character-encoding schemes. You can also display the output of captured packets using -A option.
#tcpdump -A -i wlp2s0
4. Capture only N number of packets
If you are capturing the TCP/IP packets of specific interface using Tcpdump it will normally running continuously until you press the CTRL+C button stop the process. If you just want to capture a specific number of packets you use the -c option.
#tcpdump -c 10 -i wlp2s0
5. Capture and save packets in a file
This is the most interesting feature of Tcpdump that network administrators will love to. The tool gives you an opportunity to save the captured packets in a file for advanced analysis when something bad is happen to your network. The file will be stored in a pcap format and can be viewed using Tcpdump itself or other packet analyzing tools, including Wireshark. The captured file will be stored in the current directory where you run Tcpdump.
#tcpdump -w 0001.pcap -i wlp2s0
6. Read captured packets file
As a follow-up of the example 5 above you can read the captured file using -r option. Just be sure to run this option in the same folder where you can run the -w option above.
#tcpdump -r 0001.pcap
7. Capture packet from specific port
There are so many ports in the concept of internet. Scanning all of the ports can make your capturing results be too crowded. To narrow the results and ease your job you can capture only specific port. For example you might want to filter the results for port 80 only. In the concept of internet port 80 is known as the HTTP port.
#tcpdump -i wlp2s0 port 80
8. Capture only TCP packets
You can also filter the results to show TCP packet only. Use a tcp suffix to do it.
#tcpdump -n -i wlp2s0 tcp
