Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

We use cookies to ensure that we give you the best experience on our website.
The tcpdump command in Linux - 10 useful examples

The tcpdump command in Linux – 10 useful examples

The basics of the tcpdump command in linux and 10 useful examples

1 Filter packets from specific sources and ports

The basics

Tcpdump is a command line utility that allows you to capture and analyze network traffic. It is a great way to see what is happening on your network when troubleshooting network issues. It can also be useful when troubleshooting issues that aren’t due to network issues directly. For example if two applications does not seem to work well together you can use tcpdump to capture and read packet data as well.

Checking version and installing tcpdump

You can check the version and whether tcpdump is installed or not using the command below:

[admin@inifnityloop ~]$ tcpdump --version
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017

If it’s not installed use your distributions package manager to install it. For CentOS / Red Hat Enterprise Linux it would be:

[admin@infinityloop ~]$ sudo yum install -y tcpdump

The fundamentals of the tcpdump command

  • -X : Show the packet’s contents in both hex and ASCII.
  • -XX : Same as -X, but also shows the ethernet header.
  • -D : Show the list of available interfaces
  • -l : Line-readable output (for viewing as you save, or sending to other commands)
  • -q : Be less verbose (more quiet) with your output.
  • -t : Give human-readable timestamp output.
  • -tttt : Give maximally human-readable timestamp output.
  • -i eth0 : Listen on the eth0 interface.
  • -vv : Verbose output (more v’s gives more output).
  • -c : Only get x number of packets and then stop.
  • -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.

When you run the tcpdump command without any options it will capture packets on all the interfaces. To capture traffic on one specific interface you can specify that with the -i option. To see available interfaces that you can capture traffic on, run the following command:

[admin@infinityloop ~]$ sudo tcpdump -D  
1.ens160
2.any (Pseudo-device that captures on all interfaces)
3.lo (Loopback)

So let’s say that we want to capture ICMP packets on the interface called ens160, we use the -i option to specify the interface. Also we do not want to resolve to hostnames, we can use the -n option for that. Then add icmp at the end as we just want to see packets for that protocol.

[admin@infinityloop ~]$ sudo tcpdump -n -i ens160 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
19:40:50.486598 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 13683, seq 0, length 64
19:40:50.486652 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 13683, seq 0, length 64
19:40:51.321506 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 13684, seq 0, length 64
19:40:51.321559 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 13684, seq 0, length 64

Lets start sniffing out some packets!

1 Filter packets from specific sources and port with tcpdump

Here is a more complex expression that is filtering out packets coming in at port 25 and only from source address 192.168.1.10 and 192.168.1.30.

[admin@smtp04 ~]$ sudo tcpdump -i ens160 -nn "port 25 and (src 192.168.1.10 or src 192.168.1.30)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
20:16:34.961480 IP 192.168.1.10.54110 > 192.168.1.20.25: Flags [S.], seq 2825965930, win 64240, options [mss 1460,sackOK,TS val 1161127987 ecr 0,nop,wscale 2], length 0
20:16:34.973108 IP 192.168.1.10.54110 > 192.168.1.20.25: Flags [.], ack 2511210166, win 64436, options [nop,nop,TS val 1161127988 ecr 1058473933], length 0
20:17:09.993048 IP 192.168.1.30.59554 > 192.168.1.20.25: Flags [S.], seq 410757538, win 29200, options [mss 1460,sackOK,TS val 1441627335 ecr 0,nop,wscale 7], length 0
20:16:40.013695 IP 192.168.1.10.54110 > 192.168.1.20.25: Flags [.], ack 47, win 64436, options [nop,nop,TS val 1161128492 ecr 1058478970], length 0
20:17:10.010048 IP 192.168.1.30.59554 > 192.168.1.20.25: Flags [.], ack 2203273052, win 229, options [nop,nop,TS val 1441627352 ecr 1058508965], length 0

2 Find SSH connections regardless of incoming port with tcpdump

This one is using the banner response, so it will find SSH connections regardless of what port the connection is coming in on.

[admin@infinityloop ~]$ sudo tcpdump -n -i ens160 'tcp[(tcp[12]>>2):4] = 0x5353482D'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
21:17:53.510509 IP 192.168.1.10.ssh > 192.168.1.20.43812: Flags [P.], seq 175709900:175709921, ack 983566175, win 227, options [nop,nop,TS val 1062152482 ecr 1161495820], length 21
21:17:53.524649 IP 192.168.1.20.43812 > 192.168.1.10.ssh: Flags [P.], seq 1:21, ack 21, win 64436, options [nop,nop,TS val 1161495824 ecr 1062152482], length 20

3 Traffic from one network to another

This will show all traffic coming from 192.168.1.x and going to the 10.30.100.x or 172.16.x.x networks, we are using no hostname resolution and an extra level of verbosity.

[admin@infinityloop ~]$ sudo tcpdump -nv src net 192.168.1.0/24 and dst net 10.30.100.0/24 or 172.16.0.0/16

4 Extract information from HTTP request header using tcpdump

The -A option prints the output in ASCII, then the egrep filters out User-Agent and Host from the request header.

[admin@inifinityloop ~]$ sudo tcpdump -i ens160 -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 1500 bytes
Host: 10.207.42.7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

5 Look for passwords sent in plaintext with tcpdump

Here we use some standard plain text protocols and egreps for anything related to passwords, users or logins.

[admin@inifinityloop ~]$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A |
egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user'

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

The tcpdump command in Linux - 10 useful examples
The tcpdump command in Linux – 10 useful examples
How to make a multithreaded port scanner in Python
How to make a multithreaded port scanner in Python

This website uses cookies. By continuing to use this site, you accept our use of cookies.