How to capture and analyze traffic with tcpdump
Network administrators use tcpdump to analyze traffic in Linux systems. Learn how to install and use tcpdump, as well as examine the results of captured traffic. tcpdump : Linux Network Sniffer Tool
Protocol analyzers, also known as packet sniffers, capture network data for display or use by administrators. The captures include transport layer content, application layer information and header information, such as physical and logical addresses. Network administrators usually find this information more useful than the actual data payload.
What is tcpdump?
- The tcpdump utility runs on the Linux command line.
- Tcpdump is a simple application that works well in Linux servers without Linux-based network devices, a GUI or various IoT nodes. These attributes give tcpdump an advantage over more powerful GUI-based analyzers, like Wireshark.
- Tcpdump is also scriptable, which means it can enable scheduled captures.
Primary reasons of network administrators to capture packets:
- Security: Captured packets expose insecure data, whether in the context of penetration testing or malicious eavesdropping attacks.
- Troubleshooting: Header information is useful for troubleshooting everything from DNS to packet filters on routers.
- Auditing: Captures display exactly what is on the network and not just what you think might be on the network. Audits verify that the expected types of network traffic are present.
How to install tcpdump
On Red Hat and similar distributions, type the following command:
# dnf install tcpdump
On Debian and similar distributions, type the following command:
# apt install tcpdump
MacOS users can manage tcpdump with the following brew command:
# brew install tcpdump
1. Start a capture
To get started with tcpdump, type the following command in the Linux terminal:
# tcpdump
- You would require sudo premission to run the tcpdump.
- Tcpdump displays captured packets in real time. This is useful if you know what to look for and if there’s not a lot of traffic on the interface.
However, it’s much more likely that your screen quickly scrolls with nearly incomprehensible information.
2. Stop a capture
- Interrupt the capture with Ctrl+C when this occurs.
You need a way to display only the information that is useful for your given task.
Options with tcpdump
To narrow the capture and analyse the traffic, there are multiple options provided with tcpdump.
- Use the -i option to select the interface.To display the available interfaces, type tcpdump -D
# tcpdump -i eth0
- Select host information
Specify the source or destination IP addresses you want tcpdump to watch for with the following flags.
Flag | Explanation |
host | Any packets with this host in the source or destination fields. |
src | Any packets with this host in the source field. |
dst | Any packets with this host in the destination field. |
src and dst | Any packets with this host in both the source and destination fields. |
src or dst | Any packets with this host either in the source field or destination field. |
To capture packets from a specific host, type the following command:
# tcpdump -i eth0 host 172.16.0.95
If you want traffic that originates only from 172.16.0.95 , type the following command:
# tcpdump -i eth0 src host 172.16.0.95
Develop more complex capture parameters with the and or or operators.
- Filter by port number
# tcpdump -i eth0 dst port 25
- Write the capture to a file
Use the -w option with a file name to specify a destination.
# tcpdump -i eth0 -w capture.pcap
Be sure to use the .pcap file extension. The capture results are not usable as a text file. In addition, Wireshark can open the tcpdump file if it has the .pcap extension.
- View capture results
Now that you have a capture file to work with, you can display the results in two ways: with tcpdump or Wireshark. Tcpdump itself can read the file, but you might find it advantageous to use Wireshark.
To view the file with tcpdump, type the following command:
# tcpdump -r capture.pcap