TCPDump in great details(with examples, pictures, and a short video)

in #tutorial8 years ago (edited)

tcpdump is the premier network analysis tool to help you to see what is happening on your network interface.with this package you can capture the traffic on your interface and open,parse ,analyze, troubleshoot, etc ... the packets on Linux and some other platforms. If you are new to Linux, you can also check out my post which is about installation of Linux CentOS

here I am going to show you different options and use of this powerful command(which is a System Administration section command(level 8) and needs special permission or sudoer's access).

let's get started

if you already don't have tcpdump on your Linux , simply install it by these two commands

Debian based(Ubuntu, ...)

apt-get install tcpdump

Redhat based(CentOS,...)

yum install tcpdump

first of all this is the type of error you get when you don't have required permissions(depends on the OS):

tcpdump: ens33: You don't have permission to capture on that device
(socket: Operation not permitted)

when you use tcp command itself without any other options, you are going to see a great amount of data before you eyes, these are the packets that are hitting your interface , the problem is that you dont need all of those packages, for example you probably don't need to know who is broadcasting on the network and who is not(or maybe you do, depends on the senario), the key here is to get the packets that you need and with the format that you want!

the output of 'tcpdump' command without any option, you can see source , destination, protocol, lentgh,time, ...

now we want to use tcpdump more properly and add some options to get a better, human readable output

-D

you can see the list of your interfaces by command 'tcpdump -D'

-i

the option 'i' is used to specify your interface, if you don't use this option, tcpdump is going to capture all the packets on all of your interfaces, it will get messy if you have many interfaces and you want to troubleshoot on one.
example:
sudo tcpdump -i ens33

by the way if you found this post by searching internet, gotta say you have been lucky, read about Steemit too(our wonderful community : ) )

-c

by this option you can set number of packets that you want to capture
sudo tcpdump -c 3 -i ens33

-w

this is going to save file to your computer
sudo tcpdump -i ens33 -c 3 -w myfile.pcap

-r

by -r option you can read the saved file

src

to capture packets from specific source

dst

to capture packets to a secific destination

port

to capture packets from a specific port

portrange

to specify a range of ports
sudo tcpdump portrange 200-300

less greater

specify the size of packet
sudo tcpdump less 50 # is going to capture packets less than 50 (bytes)
sudo tcpdump greater 80 # is going to capture packets greater than 80 (bytes)
you can also

not

to eliminate a parameter in your output. for example you don't wan to capture packets from port 22 because you are connecting by SSH and that is going to mess your output up
sudo tcpdump -i ens33 src 192.168.227.134 dst 192.168.227.1 not port 80 and not port 25

icmp tcp udp

will specify the type of packet based on what you choose

-q

will be more queit and output is going to have less info

-v -vv -vvv

is going to be verbose and gives you more data

there is a very short video when I execute tcpdump command


we almost covered all the options that generally are needed, but this is not all tcpdump can do, there is a lot of other options that might become handy at the time( not that common). I hope this post was informative for you and you can use it as a resource for future uses.

if you liked this post please up-vote and possibly re-steem it, or even make me feel great by following me at @meysam :)

This post is powered up 100%

Let’s bring our knowledge to the community where anyone can find anything they desire

have fun :)

Sort:  

I love all the open-source utilities that come with Linux. I come from a Windows background (shiver) and I know how superior Linux is compared to it.

It is soooooooo much easier to install something by typing "sudo apt-get install" than having to open up a browser, go to website, blah, blah, blah.

that is one of beauties of Linux, and when you get deep with it you can really feel the diff between these two platform, of course windows is fine but Linux is what suits me :)
thanks for your feedback