15 tcpdump Command Examples – Resolve Networking Issues

Tcpdump is a network traffic analysis tool that provides a clear image of what is happening on the network, assisting system administrators in troubleshooting network issues. With the exception of Solaris, the majority of Linux/UNIX operating systems ship the tcpdump program out of the box. The snoop command, which is used by the Solaris operating system, accomplishes the same tasks as tcpdump.

The tcpdump command collects TCP/IP packets that are traveling across the network and outputs their contents. It can analyze network traffic data from a file and create a real-time picture of how network communication is happening.

When utilizing a file as input, the file must have data that was obtained by using the tcpdump command.

tcpdump command with examples

In this article, we will show you some useful examples which will help you attain a better grasp on how to make the best use of this versatile and powerful tool.

Listen to and report network traffic on all interfaces. To report network traffic on all interfaces in running state on the server, use the tcpdump command without any options.

tcpdump

The tcpdump command will continuously report on network traffic. Press ctrl+c to terminate the output.

Collect Particular Interface report

Perhaps the most common usage of the tcpdump common is to listen to network traffic on a network interface. To do this we use the -i option with the tcpdump command followed by the interface name.
Type the keyword any then tcpdump will listen network traffic on all interfaces.

tcpdump -i ens33

Omit name resolution for host-names and port numbers

The default behavior of tcpdump is to perform name resolution for host-names and port numbers which is evident from the output from our previous example.
To save time spent in resolving host-names you could use the -n option with tcpdump to instruct to print strictly numeric output only in the form of IP addresses and port numbers.

tcpdump -n -i ens33

Capture only X number of packets.

Tcpdump command continues to capture packets and report them in the output until we cancel it. We can use the -c option with the tcpdump command to limit the number of packets it captures.

In the below example we are capturing only five packets on the network interface ens33.

tcpdump -c 5 -i ens33

List available interfaces

To list the network interfaces on the system available for use by tcpdump, use the -D option.

tcpdump -D

Notice that USB ports are also included in the output because tcpdump can listen for USB protocol from USB interfaces and other special Kernel devices.

Display captured packets in ASCII

ASCII is a character encoding format. To display packets captured by tcpdump in ASCII encoding use the -A option with the tcpdump command.

tcpdump -A -c 5 -i ens33

Captured Packets in HEX and ASCII

In case you would like to analyze captured packets in HEX and ASCII format, use the -XX option. When this option is set, tcpdump displays data of each packet, including its link level header in HEX and ASCII format.

tcpdump -XX -c 2 -i ens33

Be more verbose

To increase the level of verbosity reported in the tcpdump output you can use -vvv option. This will report the TTL, total length and options in an the IP packets.

tcpdump -vvv -c 2 -i ens33

Traffic on a particular port

It can use to filter out and capture traffic on a single port by specifying the keyword port along with the port number in the tcpdump command.

The below command captures traffic on tcp port 22 only.

tcpdump -c 5 -i ens33 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
.............
5 packets captured
15 packets received by filter
4 packets dropped by kernel

Capture packets aimed at a destination address

Can capture and filter out packets being transmitted to a particular destination address as shown in the below example.

tcpdump dst 192.168.87.144

19 packets captured
40 packets received by filter
15 packets dropped by kernel

In the above example, captured all traffic that is directed towards IP address 192.168.87.144.

Packets originating from a source IP address

Capture and filter out packets originating from a particular destination address as shown in the below example.

tcpdump src 192.168.87.144

Collect particular hostname dump

We can use tcpdump command to capture communication with a particular host whether it is the source or destination of the communication. The below example captures all communication related to the hostname google.com

tcpdump host google.com

Output to a file

Store the output of tcpdump command to a file and later retrieve it for further analysis. To write captured packet information to a file we use the -w option followed by the file name to which the data is to be written to.

tcpdump -c 5 port 22 -w ssh_traffic.pcap

Read from a file

To read the packet capture from a file we use the -r option. In the below example we will read from the file we used earlier to write the packet captured

tcpdump -r ssh_traffic.pcap

Setting up custom filters

Use logical and, or and not to create very customized filters while running the tcpdump command. Example run tcpdump command to capture traffic directed at host 192.168.87.144 on port 22 and 80 only

tcpdump dst host 192.168.87.144 and "(dst port 22 or dst port 80)"

Conclusion

This concludes our exploration of the tcpdump command. We hope that you’ve found the examples to be useful and we look forward towards your feedback. tcpdump command is a great tool to troubleshoot and analysis network related issues.

Related Articles

Collect Disk I/O Performance Stats in Linux

Great Problem Determination Tools in Linux

official site

Thanks for your wonderful Support and Encouragement

Sahil Suri

I am a system administrator who loves to learn and share my knowledge with the community. I've been working in the IT industry since 2011.

2 Responses

  1. Vinod says:

    Wow What a article it gives me immense opportunity to crack any interview of a reputed company.

  2. Patrick says:

    this is best linux blog. Please add a donate button. I would love to donate some.

Leave a Reply

Your email address will not be published. Required fields are marked *