Tcpdump is a command line utility that can help you to capture and analyze traffic going through your system as well with troubleshooting network related issues.
Enter the following command to install tcpdump on your Shell:
sudo apt install tcpdump
There are many different filters that you can use to capture traffic, however you can just run
sudo tcpdump --interface
or
sudo tcpdump --interface any
and tcpdump will capture all packets on every interface:
Tcpdump will continue capturing packets until you interrupt it with Ctrl+C
:
You can display all available interfaces with 2 methods:
sudo tcpdump -D
or
sudo tcpdump --list-interfaces
Sample output:
In order to capture traffic on a specific interface, use i with the interface name:
sudo tcpdump -i enp1s0
By default, tcpdump resolves ip addresses and ports to hostnames and service names.
If your DNS server is not ready or you don't want to capture hostnames, run:
sudo tcpdump –n
Sample output:
Tcpdump has an ability to filter the captured packets using a variety of parameters
Here are the most common filters used in tcpdump:
- port
- host
- src
- dst
- tcp
- udp
- icmp
To filter packets by a specific port, use the port filter:
sudo tcpdump -i enp1s0 -n port 22
Sample output:
To capture packets related to a specific host, use the host filter:
sudo tcpdump host 10.0.1.25
You can also filter packets based on a protocol. For example, we are going to capture ICMP traffic on the enp1s0 interface:
sudo tcpdump -i enp1s0 -n icmp
Sample output:
Tcpdump allows you to combine filters by using logical operators and, or and not.
sudo tcpdump -n -i enp1s0 src *source ip* and icmp
Sample output:
To capture all packets, but ICMP - we should use operator not:
sudo tcpdump not icmp
Another useful feature is to save captured information to a file. We can do with an option -w and the output file in a .pcap format:
sudo tcpdump -i enp1s0 -n icmp -w example.pcap
You won't be able to open this file with a text editor, however you can read it with the -r option:
sudo tcpdump -n -r example.pcap
Finally, we can see the content of our packets by adding options -A (for an output in ASCII) or -X (for an output in hex):
sudo tcpdump -i enp1s0 -n -A port 80
As you can see, tcpdump is a useful tool for capturing and analyzing network traffic and can be a great addition to your standard software package.
Comments
0 comments
Please sign in to leave a comment.