15 tcpdump Command Examples – Resolve Networking Issues
Tcpdump is a network traffic analysis tool that provides a clear image of what is happening on the network, assisting system administrators in troubleshooting network issues. With the exception of Solaris, the majority of Linux/UNIX operating systems ship the tcpdump program out of the box. The snoop command, which is used by the Solaris operating system, accomplishes the same tasks as tcpdump.
The tcpdump command collects TCP/IP packets that are traveling across the network and outputs their contents. It can analyze network traffic data from a file and create a real-time picture of how network communication is happening.
When utilizing a file as input, the file must have data that was obtained by using the tcpdump command.
tcpdump command with examples
In this article, we will show you some useful examples which will help you attain a better grasp on how to make the best use of this versatile and powerful tool.
Listen to and report network traffic on all interfaces. To report network traffic on all interfaces in running state on the server, use the tcpdump command without any options.
The tcpdump command will continuously report on network traffic. Press ctrl+c to terminate the output.
Collect Particular Interface report
Perhaps the most common usage of the tcpdump common is to listen to network traffic on a network interface. To do this we use the -i option with the tcpdump command followed by the interface name.
Type the keyword any then tcpdump will listen network traffic on all interfaces.
tcpdump -i ens33
Omit name resolution for host-names and port numbers
The default behavior of tcpdump is to perform name resolution for host-names and port numbers which is evident from the output from our previous example.
To save time spent in resolving host-names you could use the -n option with tcpdump to instruct to print strictly numeric output only in the form of IP addresses and port numbers.
tcpdump -n -i ens33
Capture only X number of packets.
Tcpdump command continues to capture packets and report them in the output until we cancel it. We can use the -c option with the tcpdump command to limit the number of packets it captures.
In the below example we are capturing only five packets on the network interface ens33.
tcpdump -c 5 -i ens33
List available interfaces
To list the network interfaces on the system available for use by tcpdump, use the -D option.
Notice that USB ports are also included in the output because tcpdump can listen for USB protocol from USB interfaces and other special Kernel devices.
Display captured packets in ASCII
ASCII is a character encoding format. To display packets captured by tcpdump in ASCII encoding use the -A option with the tcpdump command.
tcpdump -A -c 5 -i ens33
Captured Packets in HEX and ASCII
In case you would like to analyze captured packets in HEX and ASCII format, use the -XX option. When this option is set, tcpdump displays data of each packet, including its link level header in HEX and ASCII format.
tcpdump -XX -c 2 -i ens33
Be more verbose
To increase the level of verbosity reported in the tcpdump output you can use -vvv option. This will report the TTL, total length and options in an the IP packets.
tcpdump -vvv -c 2 -i ens33
Traffic on a particular port
It can use to filter out and capture traffic on a single port by specifying the keyword port along with the port number in the tcpdump command.
The below command captures traffic on tcp port 22 only.
tcpdump -c 5 -i ens33 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes ............. 5 packets captured 15 packets received by filter 4 packets dropped by kernel
Capture packets aimed at a destination address
Can capture and filter out packets being transmitted to a particular destination address as shown in the below example.
tcpdump dst 192.168.87.144 19 packets captured 40 packets received by filter 15 packets dropped by kernel
In the above example, captured all traffic that is directed towards IP address 192.168.87.144.
Packets originating from a source IP address
Capture and filter out packets originating from a particular destination address as shown in the below example.
tcpdump src 192.168.87.144
Collect particular hostname dump
We can use tcpdump command to capture communication with a particular host whether it is the source or destination of the communication. The below example captures all communication related to the hostname google.com
tcpdump host google.com
Output to a file
Store the output of tcpdump command to a file and later retrieve it for further analysis. To write captured packet information to a file we use the -w option followed by the file name to which the data is to be written to.
tcpdump -c 5 port 22 -w ssh_traffic.pcap
Read from a file
To read the packet capture from a file we use the -r option. In the below example we will read from the file we used earlier to write the packet captured
tcpdump -r ssh_traffic.pcap
Setting up custom filters
Use logical and, or and not to create very customized filters while running the tcpdump command. Example run tcpdump command to capture traffic directed at host 192.168.87.144 on port 22 and 80 only
tcpdump dst host 192.168.87.144 and "(dst port 22 or dst port 80)"
This concludes our exploration of the tcpdump command. We hope that you’ve found the examples to be useful and we look forward towards your feedback. tcpdump command is a great tool to troubleshoot and analysis network related issues.