15 tcpdump Command Examples – Resolve Networking Issues
Tcpdump command is a network traffic analysis tool which helps system administrators troubleshoot problems in the network by presenting a clear picture of what is happening on the network. The tcpdump tool is commonly shipped with most Linux/UNIX operating systems with the exception being that of Solaris. The Solaris operating system uses the snoop command which performs the same functions as tcpdump.
tcpdump command operates by capturing TCP/IP packets traversing across the network and displaying their information in its output. It can be used to generate a real-time picture of how network communication is occurring and it can also analyze network traffic data from a file.
When providing input from a file, the file should contain information that was captured using the tcpdump command itself.
tcpdump command with examples
In this article, we will show you some useful examples which will help you attain a better grasp on how to make the best use of this versatile and powerful tool.
Listen to and report network traffic on all interfaces. To report network traffic on all interfaces in running state on the server, use the tcpdump command without any options.
The tcpdump command will continuously report on network traffic. Press ctrl+c to terminate the output.
Collect Particular Interface report
Perhaps the most common usage of the tcpdump common is to listen to network traffic on a network interface. To do this we use the -i option with the tcpdump command followed by the interface name.
Type the keyword any then tcpdump will listen network traffic on all interfaces.
root@arkit-ubuntu:~# tcpdump -i ens33
Omit name resolution for host-names and port numbers
The default behavior of tcpdump is to perform name resolution for host-names and port numbers which is evident from the output from our previous example.
To save time spent in resolving host-names you could use the -n option with tcpdump to instruct to print strictly numeric output only in the form of IP addresses and port numbers.
root@arkit-ubuntu:~# tcpdump -n -i ens33
Capture only X number of packets.
Tcpdump command continues to capture packets and report them in the output until we cancel it. We can use the -c option with the tcpdump command to limit the number of packets it captures.
In the below example we are capturing only five packets on the network interface ens33.
root@arkit-ubuntu:~# tcpdump -c 5 -i ens33
List available interfaces
To list the network interfaces on the system available for use by tcpdump, use the -D option.
root@arkit-ubuntu:~# tcpdump -D
Notice that USB ports are also included in the output because tcpdump can listen for USB protocol from USB interfaces and other special Kernel devices.
Display captured packets in ASCII
ASCII is a character encoding format. To display packets captured by tcpdump in ASCII encoding use the -A option with the tcpdump command.
root@arkit-ubuntu:~# tcpdump -A -c 5 -i ens33
Captured Packets in HEX and ASCII
In case you would like to analyze captured packets in HEX and ASCII format, use the -XX option. When this option is set, tcpdump displays data of each packet, including its link level header in HEX and ASCII format.
root@arkit-ubuntu:~# tcpdump -XX -c 2 -i ens33
Be more verbose
To increase the level of verbosity reported in the tcpdump output you can use -vvv option. This will report the TTL, total length and options in an the IP packets.
root@arkit-ubuntu:~# tcpdump -vvv -c 2 -i ens33
Traffic on a particular port
It can use to filter out and capture traffic on a single port by specifying the keyword port along with the port number in the tcpdump command.
The below command captures traffic on tcp port 22 only.
root@arkit-ubuntu:~# tcpdump -c 5 -i ens33 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes ............. 5 packets captured 15 packets received by filter 4 packets dropped by kernel
Capture packets aimed at a destination address
Can capture and filter out packets being transmitted to a particular destination address as shown in the below example.
root@arkit-ubuntu:~# tcpdump dst 192.168.87.144 19 packets captured 40 packets received by filter 15 packets dropped by kernel
In the above example, captured all traffic that is directed towards IP address 192.168.87.144.
Packets originating from a source IP address
Capture and filter out packets originating from a particular destination address as shown in the below example.
root@arkit-ubuntu:~# tcpdump src 192.168.87.144
Collect particular hostname dump
We can use tcpdump command to capture communication with a particular host whether it is the source or destination of the communication. The below example captures all communication related to the hostname google.com
root@arkit-ubuntu:~# tcpdump host google.com
Output to a file
Store the output of tcpdump command to a file and later retrieve it for further analysis. To write captured packet information to a file we use the -w option followed by the file name to which the data is to be written to.
root@arkit-ubuntu:~# tcpdump -c 5 port 22 -w ssh_traffic.pcap
Read from a file
To read the packet capture from a file we use the -r option. In the below example we will read from the file we used earlier to write the packet captured
root@arkit-ubuntu:~# tcpdump -r ssh_traffic.pcap
Setting up custom filters
Use logical and, or and not to create very customized filters while running the tcpdump command. Example run tcpdump command to capture traffic directed at host 192.168.87.144 on port 22 and 80 only
root@arkit-ubuntu:~# tcpdump dst host 192.168.87.144 and "(dst port 22 or dst port 80)"
This concludes our exploration of the tcpdump command. We hope that you’ve found the examples to be useful and we look forward towards your feedback. tcpdump command is a great tool to troubleshoot and analysis network related issues.