Skip to main content

Traffic analysis with TCPDUMP on your Ubuntu Shell

Dmitrii Maksimov
  • Updated

Tcpdump is a command line utility that can help you to capture and analyze traffic going through your system as well with troubleshooting network related issues.

Enter the following command to install tcpdump on your Shell:

sudo apt install tcpdump

There are many different filters that you can use to capture traffic, however you can just run

sudo tcpdump --interface

or 

sudo tcpdump --interface any

and tcpdump will capture all packets on every interface:

tcpdump.JPG

Tcpdump will continue capturing packets until you interrupt it with Ctrl+C:

tcpdump2.JPG

You can display all available interfaces with 2 methods:

sudo tcpdump -D

or

sudo tcpdump --list-interfaces

Sample output:

tcpdump3.JPG

In order to capture traffic on a specific interface, use i with the interface name:

sudo tcpdump -i enp1s0

By default, tcpdump resolves ip addresses and ports to hostnames and service names.

If your DNS server is not ready or you don't want to capture hostnames, run:

sudo tcpdump –n

Sample output:

tcpdump4.JPG

 

Tcpdump has an ability to filter the captured packets using a variety of parameters
Here are the most common filters used in tcpdump:

- port
- host
- src
- dst
- tcp
- udp
- icmp

To filter packets by a specific port, use the port filter:

sudo tcpdump -i enp1s0 -n port 22

Sample output:

tcpdump5.JPG

To capture packets related to a specific host, use the host filter:

sudo tcpdump host 10.0.1.25

You can also filter packets based on a protocol. For example, we are going to capture ICMP traffic on the enp1s0 interface:

sudo tcpdump -i enp1s0 -n icmp

Sample output:

tcpdump6.JPG

Tcpdump allows you to combine filters by using logical operators and, or and not.

sudo tcpdump -n -i enp1s0 src *source ip* and icmp

Sample output:

tcpdump7.JPG

To capture all packets, but ICMP - we should use operator not:

sudo tcpdump not icmp

Another useful feature is to save captured information to a file. We can do with an option -w and the output file in a .pcap format:

sudo tcpdump -i enp1s0 -n icmp -w example.pcap

You won't be able to open this file with a text editor, however you can read it with the -r option:

sudo tcpdump -n -r example.pcap

Finally, we can see the content of our packets by adding options -A (for an output in ASCII) or -X (for an output in hex):

sudo tcpdump -i enp1s0 -n -A port 80

 

As you can see, tcpdump is a useful tool for capturing and analyzing network traffic and can be a great addition to your standard software package.

Related articles

Comments

0 comments

Please sign in to leave a comment.