tcpdump

TCPDump Tutorial: A Beginner's Guide¶

tcpdump is a powerful command-line packet analyzer used for capturing and analyzing network traffic in real time. It's widely used by network administrators, security analysts, and developers for troubleshooting, security analysis, and debugging network applications.

1. Installing TCPDump¶

Most Linux distributions come with tcpdump pre-installed. If it's not installed, you can install it using:

Ubuntu/Debian:

sudo apt update && sudo apt install tcpdump -y

CentOS/RHEL:
```
sudo yum install tcpdump -y
```
MacOS:
```
brew install tcpdump
```

2. Basic Usage¶

Check Available Network Interfaces¶

tcpdump -D

This lists all available network interfaces where tcpdump can capture traffic.

Capture Packets on a Specific Interface¶

sudo tcpdump -i eth0

This captures packets on eth0 (replace with your actual interface).

Capture Only N Packets¶

sudo tcpdump -i eth0 -c 10

Captures only 10 packets and then stops.

3. Filtering Traffic¶

tcpdump allows you to filter packets based on protocols, ports, IP addresses, etc.

Capture Traffic to/from a Specific IP¶

sudo tcpdump -i eth0 host 192.168.1.100

Captures packets to and from IP 192.168.1.100.

Capture Traffic from a Specific Source IP¶

sudo tcpdump -i eth0 src host 192.168.1.100

Capture Traffic to a Specific Destination IP¶

sudo tcpdump -i eth0 dst host 192.168.1.200

Capture Only TCP or UDP Packets¶

sudo tcpdump -i eth0 tcp
sudo tcpdump -i eth0 udp

Capture Packets for a Specific Port¶

sudo tcpdump -i eth0 port 80

Captures packets for HTTP traffic (port 80).

Capture Packets Based on Source or Destination Port¶

sudo tcpdump -i eth0 src port 443
sudo tcpdump -i eth0 dst port 22

4. Writing and Reading Packet Captures¶

Save Packets to a File¶

sudo tcpdump -i eth0 -w capture.pcap

This saves packets to a PCAP file for later analysis.

Read Packets from a File¶

sudo tcpdump -r capture.pcap

5. Display Options¶

Verbose Output¶

sudo tcpdump -i eth0 -v

Provides more details about packets.

Very Verbose Output¶

sudo tcpdump -i eth0 -vv

Even more detailed packet information.

Show Hex and ASCII Output¶

sudo tcpdump -i eth0 -XX

Displays packet content in hex and ASCII.

Show Only Packet Headers¶

sudo tcpdump -i eth0 -q

Minimizes output details.

6. Advanced Filters¶

Capture Packets of a Specific Protocol¶

sudo tcpdump -i eth0 icmp

Captures ICMP (Ping) packets.

Capture Packets with a Specific String¶

sudo tcpdump -i eth0 -A | grep "password"

Filters packets containing the word "password".

Filter Packets from a Specific Network¶

sudo tcpdump -i eth0 net 192.168.1.0/24

Captures packets from 192.168.1.0/24 subnet.

7. Analyzing Captured Packets with Wireshark¶

If you prefer a GUI for analyzing packets, open the .pcap file in Wireshark:

wireshark capture.pcap

8. Running TCPDump in the Background¶

To run tcpdump as a background process:

sudo tcpdump -i eth0 -w capture.pcap &

This runs the capture in the background.

To stop it:

sudo killall tcpdump

9. Common Use Cases¶

✔️ Monitor network activity:

sudo tcpdump -i eth0

✔️ Capture HTTP traffic:

sudo tcpdump -i eth0 port 80 -A

✔️ Monitor SSH logins:

sudo tcpdump -i eth0 port 22

✔️ Find traffic related to a specific process:
Find the process using netstat or ss and filter by port.

10. Conclusion¶

tcpdump is a powerful tool for analyzing network traffic, debugging applications, and monitoring security threats. With the right filters and options, you can quickly find the information you need.