Capturing Packets with Tcpdump

Tcpdump is a powerful network debugging tool which can be used for intercepting and displaying packets on a network interface. Moreover, only interested packets can be displayed by using its filtering feature.


Installation

I am using Ubuntu 8.10, however the installation steps will be similar for other Linux distros.

This command will install tcpdump under Ubuntu:

sudo apt-get install tcpdump

Usage

sudo tcpdump [options] [filter expression]

By default tcpdump will capture packets on eth0; we can specify a different interface using the '-i' command line flag.

sudo tcpdump -i eth1

This command will capture all packets on the eth1 interface.

In the following example we will listen to all UDP connections:

sudo tcpdump udp

Next, we’ll learn how to capture packets for a specific port:

sudo tcpdump port 80

Our command is returning all packets which have port 80 as their destination or source port.

Let’s be more specific and only capture packets with destination port 80.

sudo tcpdump dst port 80

Easy, right? Suppose you have a web server on your slice, then you can use the command above to see incoming packets.

Now, let’s capture packets for a specific host:

sudo tcpdump src host 1.2.3.4

This command will catch packets coming only from IP 1.2.3.4

You may wonder if tcpdump can take logical arguments such as ‘and’, ‘or’. The answer is YES. We can use logical statements in a tcpdump command. For example, to catch all the SSH packets going from an SSH server to a client with IP 1.2.3.4:

sudo  tcpdump "src port 22" and "dst host 1.2.3.4"

Raw packets can be conveniently saved to a file using the '-w' option:

tcpdump host 1.2.3.4 -w /home/users/demo/demo.dump

Let's read the saved file:

tcpdump -r /home/users/demo/demo.dump

Summary

Tcpdump is a powerful packet sniffer and a common tool used by system administrator to solve network problems and investigate traffic. It can be used with Boolean expressions to capture only those packets in which you're interested.

Article Comments:

satish tiwary commented Tue Jan 29 11:19:28 UTC 2013:

Its a gud article on tcpdump, but we tcpdump is more than this, i think you will love to read some more about tcpdump. http://www.slashroot.in/packet-capturing-tcpdump-command-linux

http://www.slashroot.in/network-traffic-analysis-linux-tools

thanxx...

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)