tcpdump is the premier network analysis tool to help you to see what is happening on your network interface.with this package you can capture the traffic on your interface and open,parse ,analyze, troubleshoot, etc ... the packets on Linux and some other platforms. If you are new to Linux, you can also check out my post which is about installation of Linux CentOS
here I am going to show you different options and use of this powerful command(which is a System Administration section command(level 8) and needs special permission or sudoer's access).
let's get started
if you already don't have tcpdump on your Linux , simply install it by these two commands
Debian based(Ubuntu, ...)
apt-get install tcpdump
Redhat based(CentOS,...)
yum install tcpdump
first of all this is the type of error you get when you don't have required permissions(depends on the OS):
tcpdump: ens33: You don't have permission to capture on that device
(socket: Operation not permitted)
when you use tcp command itself without any other options, you are going to see a great amount of data before you eyes, these are the packets that are hitting your interface , the problem is that you dont need all of those packages, for example you probably don't need to know who is broadcasting on the network and who is not(or maybe you do, depends on the senario), the key here is to get the packets that you need and with the format that you want!
the output of 'tcpdump' command without any option, you can see source , destination, protocol, lentgh,time, ...
now we want to use tcpdump more properly and add some options to get a better, human readable output
-D
you can see the list of your interfaces by command 'tcpdump -D'
-i
the option 'i' is used to specify your interface, if you don't use this option, tcpdump is going to capture all the packets on all of your interfaces, it will get messy if you have many interfaces and you want to troubleshoot on one.
example:
sudo tcpdump -i ens33
by the way if you found this post by searching internet, gotta say you have been lucky, read about Steemit too(our wonderful community : ) )
-c
by this option you can set number of packets that you want to capture
sudo tcpdump -c 3 -i ens33
-w
this is going to save file to your computer
sudo tcpdump -i ens33 -c 3 -w myfile.pcap
-r
by -r option you can read the saved file
src
to capture packets from specific source
dst
to capture packets to a secific destination
port
to capture packets from a specific port
portrange
to specify a range of ports
sudo tcpdump portrange 200-300
less greater
specify the size of packet
sudo tcpdump less 50 # is going to capture packets less than 50 (bytes)
sudo tcpdump greater 80 # is going to capture packets greater than 80 (bytes)
you can also
not
to eliminate a parameter in your output. for example you don't wan to capture packets from port 22 because you are connecting by SSH and that is going to mess your output up
sudo tcpdump -i ens33 src 192.168.227.134 dst 192.168.227.1 not port 80 and not port 25
icmp tcp udp
will specify the type of packet based on what you choose
-q
will be more queit and output is going to have less info
-v -vv -vvv
is going to be verbose and gives you more data
there is a very short video when I execute tcpdump command
we almost covered all the options that generally are needed, but this is not all tcpdump can do, there is a lot of other options that might become handy at the time( not that common). I hope this post was informative for you and you can use it as a resource for future uses.
I love all the open-source utilities that come with Linux. I come from a Windows background (shiver) and I know how superior Linux is compared to it.
It is soooooooo much easier to install something by typing "sudo apt-get install" than having to open up a browser, go to website, blah, blah, blah.
that is one of beauties of Linux, and when you get deep with it you can really feel the diff between these two platform, of course windows is fine but Linux is what suits me :)
thanks for your feedback