tcpdump command in Linux with examples
203
tcpdump command in Linux with examples
In this article, we will learn how to install tcpdump and its useful Commands with examples. tcpdump is sniffer or package analyzer tool which captures or filters TCP/IP packets which is transferred or received over a network in specific interface.
To check the package installed or not using yum
Run the yum command to install the tcpdump package.
[user1@linuxhelp ~]$ yum info tcpdump
Yum command has been deprecated, redirecting to ' /usr/bin/dnf info tcpdump' .
See ' man dnf' and ' man yum2dnf' for more information.
To transfer transaction metadata from yum to DNF, run:
' dnf install python-dnf-plugins-extras-migrate & & dnf-2 migrate'
Fedora 22 - x86_64 192 kB/s | 41 MB 03:40
Fedora 22 - x86_64 - Updates 203 kB/s | 22 MB 01:50
Last metadata expiration check performed 0:01:26 ago on Fri Apr 1 00:17:03 2016.
Installed Packages
Name : tcpdump
Arch : x86_64
Epoch : 14
Version : 4.7.4
Release : 1.fc22
Size : 992 k
Repo : @System
Summary : A network traffic monitoring tool
URL : http://www.tcpdump.org
License : BSD with advertising
Description : Tcpdump is a command-line tool for monitoring network traffic.
: Tcpdump can capture and display the packet headers on a particular
: network interface or on all interfaces. Tcpdump can display all
: of the packet headers, or just the ones that match particular
: criteria.
:
: Install tcpdump if you need a program to monitor network traffic.
Available Packages
Name : tcpdump
Arch : x86_64
Epoch : 14
Version : 4.7.4
Release : 2.fc22
Size : 407 k
Repo : updates
Summary : A network traffic monitoring tool
URL : http://www.tcpdump.org
License : BSD with advertising
Description : Tcpdump is a command-line tool for monitoring network traffic.
: Tcpdump can capture and display the packet headers on a particular
: network interface or on all interfaces. Tcpdump can display all
: of the packet headers, or just the ones that match particular
: criteria.
:
: Install tcpdump if you need a program to monitor network traffic
To Install tcpdump in Linux
Run the following command to install tcpdump.
[root@linuxhelp ~]# yum install tcpdump
Yum command has been deprecated, redirecting to ' /usr/bin/dnf install tcpdump' .
See ' man dnf' and ' man yum2dnf' for more information.
To transfer transaction metadata from yum to DNF, run:
' dnf install python-dnf-plugins-extras-migrate & & dnf-2 migrate'
Last metadata expiration check performed 0:33:57 ago on Fri Apr 1 00:04:55 2016.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
tcpdump x86_64 14:4.7.4-2.fc22 updates 407 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 407 k
Installed size: 992 k
Is this ok [y/N]: y
Downloading Packages:
tcpdump-4.7.4-2.fc22.x86_64.rpm 138 kB/s | 407 kB 00:02
--------------------------------------------------------------------------------
Total 88 kB/s | 407 kB 00:04
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Installing : tcpdump-14:4.7.4-2.fc22.x86_64 1/1
Verifying : tcpdump-14:4.7.4-2.fc22.x86_64 1/1
Installed:
tcpdump.x86_64 14:4.7.4-2.fc22
Complete!
Now the installation of tcpdump is completed.
1. To Capture Packets from Specific Interface
Run the following tcpdump command it will captures from all the interfaces. With -i switch only capture from desire interface.
[root@linuxhelp ~]# tcpdump -i eno16777736
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
00:40:26.286504 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:40:27.405682 ARP, Request who-has 192.168.7.10 tell gateway, length 46
00:40:27.425611 IP linuxhelp.56221 > google-public-dns-a.google.com.domain: 23171+ PTR? 10.7.168.192.in-addr.arpa. (43)
00:40:27.500565 IP google-public-dns-a.google.com.domain > linuxhelp.56221: 23171 NXDomain 0/0/0 (43)
00:40:27.563699 IP linuxhelp.35980 > google-public-dns-a.google.com.domain: 62302+ PTR? 1.7.168.192.in-addr.arpa. (42)
00:40:27.592969 IP google-public-dns-a.google.com.domain > linuxhelp.35980: 62302 NXDomain 0/0/0 (42)
2. To Capture Only N Number of Packets
-c option is used to capture the specified number of packets. In this example it will capture 5 packets.
[root@linuxhelp ~]# tcpdump -c 5 -i eno16777736
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
00:42:39.288255 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:42:39.306262 ARP, Request who-has 192.168.7.10 tell gateway, length 46
00:42:39.307594 IP linuxhelp.56610 > google-public-dns-a.google.com.domain: 40093+ PTR? 10.7.168.192.in-addr.arpa. (43)
00:42:39.312386 IP google-public-dns-a.google.com.domain > linuxhelp.56610: 40093 NXDomain 0/0/0 (43)
00:42:39.314377 IP linuxhelp.46260 > google-public-dns-a.google.com.domain: 52656+ PTR? 1.7.168.192.in-addr.arpa. (42)
5 packets captured
10 packets received by filter
1 packet dropped by kernel
3. To Print Captured Packets in ASCII
Run the following command to displays the package in ASCII format for particular device.
[root@linuxhelp ~]# tcpdump -A -i eno16777736
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
00:44:11.986239 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
BB.....~.....t.....@....%.Z..
....................
00:44:14.001158 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
BB.....~.....t.....@....%.Z..
....................
00:44:15.785089 ARP, Request who-has 192.168.7.4 tell gateway, length 46
........ google-public-dns-a.google.com.domain: 22113+ PTR? 4.7.168.192.in-addr.arpa. (42)
E..F..@.@.En...........5.2..Va...........4.7.168.192.in-addr.arpa.....
00:44:15.794482 IP google-public-dns-a.google.com.domain > linuxhelp.41715: 22113 NXDomain 0/0/0 (42)
E..F....9..W.........5...2 .Va...........4.7.168.192.in-addr.arpa.....
00:44:15.796887 IP linuxhelp.52090 > google-public-dns-a.google.com.domain: 20803+ PTR? 1.7.168.192.in-addr.arpa. (42)
E..F..@.@.Ed.........z.5.2..QC...........1.7.168.192.in-addr.arpa.....
00:44:15.802543 IP google-public-dns-a.google.com.domain > linuxhelp.52090: 20803 NXDomain 0/0/0 (42)
E..Fg_..9.B..........5.z.2.LQC...........1.7.168.192.in-addr.arpa.....
00:44:15.803429 IP linuxhelp.34753 > google-public-dns-a.google.com.domain: 35+ PTR? 8.8.8.8.in-addr.arpa. (38)
E..B..@.@.Ed...........5.....#...........8.8.8.8.in-addr.arpa.....
00:44:15.847515 IP google-public-dns-a.google.com.domain > linuxhelp.34753: 35 1/0/0 PTR google-public-dns-a.google.com. (82)
..
..
..
19 packets captured
20 packets received by filter
1 packet dropped by kernel
4. To Display Available Interfaces
Run the following command to list number of available interfaces on the system.
[root@linuxhelp ~]# tcpdump -D
1.eno16777736 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.usbmon1 (USB bus number 1)
7.usbmon2 (USB bus number 2)
5. To Display Captured Packets in HEX and ASCII
Run the following command to capture packets in HEX and ASCII
[root@linuxhelp ~]# tcpdump -XX -i eno16777736
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
00:49:06.201113 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
0x0000: 0180 c200 0000 001b 2581 5ae1 0027 4242 ........%.Z..' BB
0x0010: 0300 0002 027e 8000 0018 b074 a080 0000 .....~.....t....
0x0020: 9c40 8000 001b 2581 5ae0 800a 0200 1400 .@....%.Z.......
0x0030: 0200 0f00 0000 0000 0000 0000 0000 0000 ................
00:49:08.215923 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
0x0000: 0180 c200 0000 001b 2581 5ae1 0027 4242 ........%.Z..' BB
0x0010: 0300 0002 027e 8000 0018 b074 a080 0000 .....~.....t....
0x0020: 9c40 8000 001b 2581 5ae0 800a 0200 1400 .@....%.Z.......
0x0030: 0200 0f00 0000 0000 0000 0000 0000 0000 ................
00:49:09.172437 IP 192.168.7.100.netbios-dgm > 192.168.7.255.netbios-dgm: NBT UDP PACKET(138)
..
..
..
12 packets captured
13 packets received by filter
1 packet dropped by kernel
6. Capture and save packet in a file
The tcpdump command with -w option captures and saves the file in a .pcap format,
[root@linuxhelp ~]# tcpdump -w 0001.pcap -i eno16777736
tcpdump: listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
^C133 packets captured
133 packets received by filter
0 packets dropped by kernel
7. Read the capture packet files
&ndash r option is used to read the captured packets in tcpdump
[root@linuxhelp ~]# tcpdump -r 0001.pcap
reading from file 0001.pcap, link-type EN10MB (Ethernet)
00:50:57.035081 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:50:59.050502 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:51:01.065405 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:51:01.368005 ARP, Request who-has 192.168.7.10 tell gateway, length 46
00:51:02.169447 IP linuxhelp.48560 > 123.108.200.124.ntp: NTPv4, Client, length 48
00:51:02.202474 IP 123.108.200.124.ntp > linuxhelp.48560: NTPv4, Server, length 48
00:51:02.267281 ARP, Request who-has 192.168.7.10 tell gateway, length 46
00:51:03.080635 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:51:03.167307 ARP, Request who-has 192.168.7.10 tell gateway, length 46
00:51:03.442925 ARP, Request who-has 192.168.7.19 tell gateway, length 46
8. Capture the ip address packets
&ndash n option is used to capture specific ip address packets
[root@linuxhelp ~]# tcpdump -n -i eno16777736
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
00:55:16.992353 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:19.007421 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:21.022413 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:23.037582 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:25.052765 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:27.067934 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:28.071566 LLDP, length 50
00:55:29.083144 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:31.098453 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:33.113424 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:34.341605 ARP, Request who-has 192.168.7.10 tell 192.168.7.1, length 46
00:55:34.942530 ARP, Request who-has 192.168.7.10 tell 192.168.7.1, length 46
00:55:35.128633 STP 802.1w, Rapid STP, Flags [Proposal, Learn, Forward, Agreement], bridge-id 8000.00:1b:25:81:5a:e0.800a, length 47
00:55:35.841175 ARP, Request who-has 192.168.7.10 tell 192.168.7.1, length 46
00:55:36.263662 IP6 fe80::8dab:6585:c67e:357c.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
00:55:36.343171 ARP, Request who-has 192.168.7.1 tell 192.168.7.100, length 46
00:55:36.344498 ARP, Reply 192.168.7.1 is-at 3c:61:04:6c:d6:81, length 46
00:55:36.344512 IP 192.168.7.100.51865 > 211.36.85.142.http: Flags [S], seq 307814593, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:55:36.451594 IP 211.36.85.142.http > 192.168.7.100.51865: Flags [S.], seq 1664764182, ack 307814594, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
9. Capture only tcp packets
Execute the following command to capture the packets based on TCP port.
[root@linuxhelp ~]# tcpdump -ieno16777736 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
00:58:44.863484 IP linuxhelp.54387 > 67.219.144.68.https: Flags [S], seq 2025087156, win 29200, options [mss 1460,sackOK,TS val 3627063 ecr 0,nop,wscale 7], length 0
00:58:45.167197 IP 67.219.144.68.https > linuxhelp.54387: Flags [S.], seq 4104622327, ack 2025087157, win 28960, options [mss 1460,sackOK,TS val 3692792509 ecr 3627063,nop,wscale 7], length 0
00:58:45.167268 IP linuxhelp.54387 > 67.219.144.68.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 3627367 ecr 3692792509], length 0
00:58:45.168508 IP linuxhelp.54387 > 67.219.144.68.https: Flags [P.], seq 1:524, ack 1, win 229, options [nop,nop,TS val 3627368 ecr 3692792509], length 523
00:58:45.465549 IP 67.219.144.68.https > linuxhelp.54387: Flags [.], ack 524, win 235, options [nop,nop,TS val 3692792816 ecr 3627368], length 0
00:58:45.487819 IP 67.219.144.68.https > linuxhelp.54387: Flags [.], seq 1:1449, ack 524, win 235, options [nop,nop,TS val 3692792837 ecr 3627368], length 1448
00:58:45.487873 IP linuxhelp.54387 > 67.219.144.68.https: Flags [.], ack 1449, win 251, options [nop,nop,TS val 3627688 ecr 3692792837], length 0
10. Capture packets from the specific port
You can also capture packets from the specific port. I have traced the port 80.
[root@linuxhelp ~]# tcpdump -i eno16777736 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
01:13:15.572243 IP linuxhelp.44881 > maa03s21-in-f14.1e100.net.http: Flags [S], seq 869106173, win 29200, options [mss 1460,sackOK,TS val 4497772 ecr 0,nop,wscale 7], length 0
01:13:15.578374 IP maa03s21-in-f14.1e100.net.http > linuxhelp.44881: Flags [S.], seq 2676153723, ack 869106174, win 42540, options [mss 1430,sackOK,TS val 503333759 ecr 4497772,nop,wscale 7], length 0
01:13:15.578410 IP linuxhelp.44881 > maa03s21-in-f14.1e100.net.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4497778 ecr 503333759], length 0
01:13:15.588216 IP linuxhelp.44881 > maa03s21-in-f14.1e100.net.http: Flags [P.], seq 1:438, ack 1, win 229, options [nop,nop,TS val 4497788 ecr 503333759], length 437: HTTP: POST /ocsp HTTP/1.1
01:13:15.594609 IP maa03s21-in-f14.1e100.net.http > linuxhelp.44881: Flags [.], ack 438, win 341, options [nop,nop,TS val 503333775 ecr 4497788], length 0
01:13:15.629772 IP maa03s21-in-f14.1e100.net.http > linuxhelp.44881: Flags [P.], seq 1:747, ack 438, win 341, options [nop,nop,TS val 503333808 ecr 4497788], length 746: HTTP: HTTP/1.1 200 OK
01:13:15.629830 IP linuxhelp.44881 > maa03s21-in-f14.1e100.net.http: Flags [.], ack 747, win 240, options [nop,nop,TS val 4497830 ecr 503333808], length 0
01:13:16.997685 IP linuxhelp.34640 > 117.18.237.29.http: Flags [S], seq 69239109, win 29200, options [mss 1460,sackOK,TS val 4499198 ecr 0,nop,wscale 7], length 0
11. Capture packets from the source ip address
To trace the packets from the source ip address execute the following command.
[root@linuxhelp ~]# tcpdump -i eno16777736 src 192.168.7.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
01:17:12.871928 IP linuxhelp.45969 > a23-211-135-8.deploy.static.akamaitechnologies.com.http: Flags [.], ack 3991592143, win 455, options [nop,nop,TS val 4735072 ecr 2174831350], length 0
01:17:12.873286 IP linuxhelp.35340 > google-public-dns-a.google.com.domain: 5301+ PTR? 8.135.211.23.in-addr.arpa. (43)
01:17:12.967939 IP linuxhelp.60240 > 67-231-249-134.static.as40244.net.http: Flags [.], ack 3454335038, win 773, options [nop,nop,TS val 4735168 ecr 64841543], length 0
01:17:12.968144 IP linuxhelp.60251 > 67-231-249-134.static.as40244.net.http: Flags [.], ack 3936492921, win 479, options [nop,nop,TS val 4735168 ecr 64841545], length 0
01:17:12.999981 IP linuxhelp.52731 > google-public-dns-a.google.com.domain: 26508+ PTR? 141.7.168.192.in-addr.arpa. (44)
01:17:13.000949 IP linuxhelp.60238 > 67-231-249-134.static.as40244.net.http: Flags [.], ack 287352718, win 753, options [nop,nop,TS val 4735201 ecr 64841548], length 0
01:17:13.006947 IP linuxhelp.55656 > google-public-dns-a.google.com.domain: 51882+ PTR? 8.8.8.8.in-addr.arpa. (38)
01:17:13.056744 IP linuxhelp.41317 > google-public-dns-a.google.com.domain: 25458+ PTR? 134.249.231.67.in-addr.arpa. (45)
01:17:13.287959 IP linuxhelp.60237 > 67-231-249-134.static.as40244.net.http: Flags [.], ack 1392610895, win 1201, options [nop,nop,TS val 4735488 ecr 64841573], length 0
01:17:13.288156 IP linuxhelp.37755 > a23-35-43-27.deploy.static.akamaitechnologies.com.http: Flags [.], ack 2176129290, win 274, options [nop,nop,TS val 4735488 ecr 2115399512], length 0
01:17:13.288743 IP linuxhelp.40801 > google-public-dns-a.google.com.domain: 53601+ PTR? 27.43.35.23.in-addr.arpa. (42)
01:17:13.319736 IP linuxhelp.60241 > 67-231-249-134.static.as40244.net.http: Flags [.], ack 181882826, win 591, options [nop,nop,TS val 4735520 ecr 64841576], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
12. Capture packets from the destination ip address
Execute the following commands to capture the packets from destination IP.
[root@linuxhelp ~]# tcpdump -i eno16777736 dst 192.168.7.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 262144 bytes
01:23:39.676087 ARP, Reply 192.168.7.200 is-at 52:54:00:61:6b:99 (oui Unknown), length 46
01:23:39.677126 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [S.], seq 1262096834, ack 1431727322, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
01:23:39.678160 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [.], ack 90, win 115, length 0
01:23:40.126518 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [P.], seq 1:40, ack 90, win 115, length 39
01:23:40.127555 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [.], ack 220, win 123, length 0
01:23:40.394950 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [P.], seq 40:1378, ack 220, win 123, length 1338
01:23:40.396233 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [P.], seq 1378:2635, ack 220, win 123, length 1257
01:23:40.397426 IP 192.168.7.200.squid > 192.168.7.100.51874: Flags [.], ack 546, win 131, length 0
Comments ( 0 )
No comments available