tcpdump is a very useful command to inspect and capture network packets that go into and from your machine. It's one of the most common networking utilities to troubleshoot network problems and security issues.
Although its name is tcpdump but it can be used to inspect non-TCP traffic included UDP, ARP, or ICMP.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related command line queries on Debian Linux system.
In this context, we shall look into methods to use the tcpdump command in a Linux system.
By default, tcpdump is installed on most Linux distributions. To verify whether the tcpdump is installed or not, run the following command:
$ tcpdump --version
If it has not been installed yet, then run the commands:
$ sudo apt update
$ sudo apt install tcpdump
How to Capture packets on network interfaces ?
When you run tcpdump without any options, it will capture all the packets on all of the network interfaces on your computer:
$ sudo tcpdump
You have to press Ctrl + C to stop.
To list all of the network interfaces that their packets can be inspected by the tcpdump command, run:
$ sudo tcpdump -D
If you want to capture packets on a specific network interface and limits packet to 6, run the following command:
$ sudo tcpdump -i eth0 -c 6
How to Capture network packets on a specific host ?
To capture the packets from a specific host. You can simply run the following command:
$ sudo tcpdump -n host 172.19.11.101 -c 5
How to Capture network packets on a specific port ?
If you want to filter only network packets on a specific port, let's run the tcpdump command with the -n port option:
$ sudo tcpdump -n port 22
How to Capture network packets from source and destination ?
If you want to filter only network packets that come from a specific source, let's run the tcpdump command with the src option:
$ sudo tcpdump src 172.19.11.200
For the purpose of capturing only network packets to a specific destination, run the tcpdump command with the dst option:
$ sudo tcpdump dst 172.19.11.200
How to Capture network packets with many combined filters ?
In order to combine many filters when running the tcpdump command, you can use these operators: and (&&), or (||), not (!). For example, the following command will capture all packets that come from the source 172.19.11.200 via port 22:
$ sudo tcpdump src 172.19.11.200 && -n port 22 -c 5
How to Filter network by a protocol ?
To capture the network packets of a particular protocol, let's specify the protocol name as a command option. For example:
$ sudo tcpdump -n udp
This article covers how to use the tcpdump command for troubleshooting and analyzing the network on your Linux system. tcpdump is the world's premier network analysis tool—combining both power and simplicity into a single command-line interface.
Basically, tcpdump is a valuable tool for anyone looking to get into networking or information security.
The raw way it interfaces with traffic, combined with the precision it offers in inspecting packets make it the best possible tool for learning TCP/IP.
Protocol Analyzers like Wireshark are great, but if you want to truly master packet-fu, you must become one with tcpdump first.