tcpdump is a common packet analyzer that runs under the command line.Its a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface and it will work on most flavors of unix operating system.We will cover some useful commands with their practical examples.

How to Install tcpdump
# yum install tcpdump

1Capture Packets from Specific Interface

sh-3.2# tcpdump -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:56:56.712822 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
11:56:58.760588 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
11:57:00.705990 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
11:57:02.753632 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
11:57:03.925841 IP 192.168.1.27.51995 > bam-8.nr-data.net.https: Flags [.], ack 3681397208, win 65535, length 0
11:57:03.927594 IP 192.168.1.27.64148 > 192.168.1.1.domain: 28978+ PTR? 27.1.168.192.in-addr.arpa. (43)
11:57:03.929919 IP 192.168.1.1.domain > 192.168.1.27.64148: 28978 ServFail- 0/0/0 (43)

In this example, tcpdump captured all the packets flows in the interface en0 and displays in the standard output.If you dont use “-i” parameter, it will capture all the package through all the interface.

2Capture Only N Number of Packets

The below tcpdump command captured only 4 packets from interface en0.

 

sh-3.2# tcpdump -c 4 -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:01:56.717492 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
12:01:57.296182 IP 192.168.1.27.52310 > host-212-252-126-74.reverse.superonline.net.http: Flags [P.], seq 4284791179:4284791364, ack 1148539562, win 4096, options [nop,nop,TS val 505642274 ecr 3426974727], length 185: HTTP: GET /bag HTTP/1.1
12:01:57.297548 IP 192.168.1.27.55704 > 192.168.1.1.domain: 23594+ PTR? 27.1.168.192.in-addr.arpa. (43)
12:01:57.300256 IP 192.168.1.1.domain > 192.168.1.27.55704: 23594 ServFail- 0/0/0 (43)

4 packets captured
25 packets received by filter
0 packets dropped by kernel

3Display Captured Packets in ASCII

sh-3.2# tcpdump -A -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:03:52.769508 IP 192.168.1.27.51995 > bam-8.nr-data.net.https: Flags [.], ack 3681397208, win 65535, length 0
E..(.3..@................n...m..P...av..
12:03:52.811418 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
........."...........".............
12:03:52.926068 IP bam-8.nr-data.net.https > 192.168.1.27.51995: Flags [.], ack 1, win 12848, options [nop,nop,TS val 884042808 ecr 504579280], length 0
E..4.=@..................m...n....20.`.....
4.l8..D.
3 packets captured
3 packets received by filter
0 packets dropped by kernel

The above tcpdump command with option -A displays the package in ASCII format

4Display Captured Packets in ASCII and HEX

Below commands print packets in both ASCII and HEX format.Some users want to analyze packet this formats.

sh-3.2# tcpdump -XX -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:05:43.912820 IP6 fe80::4d:c3df:2f4:bc0c > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
            0x0000:  3436 3b69 b3f2 80b0 3dc2 ac69 86dd 6000  46;i....=..i..`.
            0x0010:  0000 0024 0001 fe80 0000 0000 0000 004d  ...$...........M
            0x0020:  c3df 02f4 bc0c ff02 0000 0000 0000 0000  ................
            0x0030:  0000 0000 0016 3a00 0100 0502 0000 8f00  ......:.........
            0x0040:  ebe2 0000 0001 0400 0000 ff02 0000 0000  ................
            0x0050:  0000 0000 0000 0000 00fb                 ..........

12:05:43.912833 IP 192.168.1.22.mdns > 224.0.0.251.mdns: 0 [2q] [1au] PTR (QM)? _homekit._tcp.local. PTR (QM)? _sleep-proxy._udp.local. (90)
            0x0000:  3436 3b69 b3f2 80b0 3dc2 ac69 0800 4500  46;i....=..i..E.
            0x0010:  0076 e00e 0000 ff11 38ae c0a8 0116 e000  .v......8.......
            0x0020:  00fb 14e9 14e9 0062 6372 0000 0000 0002  .......bcr......
            0x0030:  0000 0000 0001 085f 686f 6d65 6b69 7404  ......._homekit.
            0x0040:  5f74 6370 056c 6f63 616c 0000 0c00 010c  _tcp.local......
            0x0050:  5f73 6c65 6570 2d70 726f 7879 045f 7564  _sleep-proxy._ud
            0x0060:  70c0 1a00 0c00 0100 0029 05a0 0000 1194  p........)......
            0x0070:  0012 0004 000e 00fa a2b0 3dc2 ac69 80b0  ..........=..i..
            0x0080:  3dc2 ac69

5Show Available Interfaces

List all the available interfaces on your system,you can use “-D” command

sh-3.2# tcpdump -D
1.en0 [Up, Running]
2.p2p0 [Up, Running]
3.awdl0 [Up, Running]
4.bridge0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.utun1 [Up, Running]
8.lo0 [Up, Running, Loopback]
9.gif0
10.stf0
11.XHC20

6Capture the package and save in a file

Tcpdump allows you to save the packets to a file with cap format.You can use this pcap files to analyze for your system.

sh-3.2# tcpdump -w emre.pcap -i en0
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
22 packets captured
22 packets received by filter
0 packets dropped by kernel

7Capture the specific number of package and save in a file

Below command capture the specific number of packages with ” -c ” parameter.

sh-3.2# tcpdump -w emre.pcap -c 5 -i en0
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
5 packets received by filter
0 packets dropped by kernel

8Read Captured Packets File

You can read the captured pcap file as saved before and view the packets for analysis

sh-3.2# tcpdump -r emre.pcap
reading from file emre.pcap, link-type EN10MB (Ethernet)
12:17:32.686523 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
12:17:33.916709 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2
12:17:34.734423 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
12:17:36.493560 IP 192.168.1.27 > 224.0.0.251: igmp v2 report 224.0.0.251
12:17:36.679872 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35

9Capture packets with IP address

Above examples, it prints package with DNS dress.But as shown below, it prints only IP adress.

sh-3.2# tcpdump -n -i en0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:24:08.749646 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
12:24:08.959985 IP6 fe80::447:7b59:2348:b0b8 > fe80::1c3f:8d30:535c:2827: ICMP6, neighbor solicitation, who has fe80::1c3f:8d30:535c:2827, length 32
12:24:09.971222 IP6 fe80::447:7b59:2348:b0b8 > fe80::1c3f:8d30:535c:2827: ICMP6, neighbor solicitation, who has fe80::1c3f:8d30:535c:2827, length 32
12:24:10.695180 STP 802.1d, Config, Flags [none], bridge-id 8000.94:fe:22:db:e9:07.8007, length 35
12:24:10.982405 IP6 fe80::447:7b59:2348:b0b8 > fe80::1c3f:8d30:535c:2827: ICMP6, neighbor solicitation, who has fe80::1c3f:8d30:535c:2827, length 32
5 packets captured
5 packets received by filter
0 packets dropped by kernel

10Receive only the packets of a specific protocol type

Capture packets based on specific port, run the following command with option tcp, arp etc.

sh-3.2# tcpdump -i en0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:28:20.839030 IP 192.168.1.27.51994 > bam-8.nr-data.net.https: Flags [.], ack 1854637093, win 65535, length 0
12:28:20.984595 IP bam-8.nr-data.net.https > 192.168.1.27.51994: Flags [.], ack 1, win 8039, options [nop,nop,TS val 885510874 ecr 504502202], length 0
12:28:25.637721 IP ec2-52-193-208-185.ap-northeast-1.compute.amazonaws.com.https > 192.168.1.27.52394: Flags [P.], seq 1111239979:1111240425, ack 2769554382, win 129, options [nop,nop,TS val 90391868 ecr 507188280], length 446
12:28:25.637733 IP ec2-52-193-208-185.ap-northeast-1.compute.amazonaws.com.https > 192.168.1.27.52394: Flags [P.], seq 446:477, ack 1, win 129, options [nop,nop,TS val 90391868 ecr 507188280], length 31

11Receive packets flows on a specific port

you can capture package with specific port, as shown below.

sh-3.2# tcpdump -i en0 port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:30:57.596706 IP 46-20-153-67.static.doratelekom.com.http > 192.168.1.27.52432: Flags [F.], seq 2969286565, ack 2487108915, win 679, options [nop,nop,TS val 1000576522 ecr 507361885], length 0
12:30:57.596717 IP 46-20-153-67.static.doratelekom.com.http > 192.168.1.27.52433: Flags [F.], seq 225163397, ack 633557737, win 679, options [nop,nop,TS val 1000576522 ecr 507361674], length 0
12:30:57.596719 IP 46-20-153-67.static.doratelekom.com.http > 192.168.1.27.52444: Flags [F.], seq 676797538, ack 1584940432, win 679, options [nop,nop,TS val 1000576522 ecr 507361674], length 0
12:30:57.596829 IP 192.168.1.27.52432 > 46-20-153-67.static.doratelekom.com.http: Flags [.], ack 1, win 4096, options [nop,nop,TS val 507379121 ecr 1000576522], length 0
12:30:57.596832 IP 192.168.1.27.52433 > 46-20-153-67.static.doratelekom.com.http: Flags [.], ack 1, win 4096, options [nop,nop,TS val 507379121 ecr 1000576522], length 0

 

12Capture packets for specific source IP and Port

capture packets from source IP and port , say you want to capture packets for 192.168.1.27(my ip) and port 80 , show as below.You can use this command with “dst” parameters.It will show destination ip. “dst 8.8.8.8” etc.

sh-3.2# tcpdump -i en0 -c 2 src 192.168.1.27 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:34:51.472298 IP 192.168.1.27.52565 > atlantic364.us.unmetered.com.http: Flags [.], ack 2428549881, win 4096, options [nop,nop,TS val 507612131 ecr 2729663676], length 0
12:34:51.472421 IP 192.168.1.27.52565 > atlantic364.us.unmetered.com.http: Flags [F.], seq 0, ack 1, win 4096, options [nop,nop,TS val 507612131 ecr 2729663676], length 0

13Read packets lesser than specific bytes

tcpdump -w emre.pcap less 1024

LEAVE A REPLY

Please enter your comment!
Please enter your name here