In this article, I will delve into one of the most indispensable tools in my networking arsenal: tcpdump. While mastering this tool entirely is a complex endeavor, understanding the basic functionalities is straightforward and can serve as a solid foundation for exploring more intricate aspects of network analysis.
This article will be divided into two parts. In this first part, I will cover the most used commands and options. The second part will focus on advanced tcpdump filtering.
Please don’t hesitate to reach out with comments, suggestions, or to report any mistakes. If something isn’t clear, let me know! I aim to regularly update this document with helpful new rules.
Introduction
tcpdump is a powerful packet sniffer that captures and analyzes network traffic passing through a machine at the packet level. This means it intercepts and logs the data packets transmitted to and from your computer. You can choose to save these packets in their entirety or only capture their headers. These saved packets can later be replayed, allowing you to apply various filters to focus on specific packets of interest.
How tcpdump Works
tcpdump operates by understanding network protocols and hostnames. It strives to identify the source of each packet and translates IP addresses into recognizable hostnames, providing a more comprehensible view of the network traffic.
Practical Uses of tcpdump
tcpdump is exceptionally useful for diagnosing network-related issues. It allows you to pinpoint the root cause of a problem by providing a detailed look at the traffic flow. Furthermore, tcpdump serves as an excellent learning tool, offering insights into network protocols and data transmission processes.
Starting With tcpdump
Most Linux tools come with built-in help documentation accessible directly from the command line. This documentation provides a brief usage statement, detailing the basic syntax, available options, and functionalities of the tool. This help can typically be displayed by appending --help or -h to the command, depending on the developer’s preferences.
For instance, to view the help documentation for tcpdump, you would use one of the following commands:
tcpdump --helpor
tcpdump -hRunning either of these commands will display a usage statement similar to the following:
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
Usage: tcpdump [options] [expression]
Options:
-i <interface> Listen on <interface> (e.g., eth0)
-D Print the list of available network interfaces
-w <file> Write the raw packets to <file> rather than parsing and printing them out
-r <file> Read packets from <file> (which was created with the -w option)
-s <snaplen> Snarf <snaplen> bytes of data from each packet rather than the default of 262144 bytes
-c <count> Exit after receiving <count> packets
-F <file> Use <file> as file with filter expression (which uses exactly the same syntax as the filter expression argument)
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names
-nn Don't convert protocol and port numbers (i.e., don't resolve numbers to names)
-t Don't print a timestamp on each dump line
-tt Print an unformatted timestamp on each dump line
-ttt Print a delta (micro-second resolution) between current and previous line on each dump line
-tttt Print a timestamp in default format proceeded by date on each dump line
-v Be more verbose (with multiple -v options)
-q Be less verbose
-A Print each packet (minus its link level header) in ASCII
-x Print each packet (minus its link level header) in hex
-xx Print each packet, including its link level header, in hex
-X Print each packet (minus its link level header) in hex and ASCII
-XX Print each packet, including its link level header, in hex and ASCII
-C <file_size> Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one
-G <seconds> If specified, rotate the dump file specified with the -w option every seconds seconds. Savefiles will have the name specified by the -w option, with a suffix consisting of the timestamp, formatted according to the given strftime expression. If no strftime expression is specified, the default is %Y%m%d%H%M%S.
-W <number> Used in conjunction with the -C or -G options, this will limit the number of rotated dump files that will be saved on disk. Once the limit is reached, the oldest file will be overwritten.
-V Print version information and exit
-h Print this help message and exitUnderstanding tcpdump’s Output
When you run tcpdump without any options to write to a file, it outputs captured packet information directly to the terminal. The default output of tcpdump provides a summary of each packet it captures. Here’s a breakdown of how to read and interpret tcpdump’s output.
16:32:41.508855 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0
16:32:41.509045 IP 93.184.216.34.http > 192.168.1.100.57891: Flags [S.], seq 1978293252, ack 3787255694, win 28960, options [mss 1460,sackOK,TS val 240953111 ecr 1924858400,nop,wscale 6], length 0
16:32:41.509081 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1924858401 ecr 240953111], length 0
16:32:41.510995 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [P.], seq 1:51, ack 1, win 502, options [nop,nop,TS val 1924858403 ecr 240953111], length 50
16:32:41.511181 IP 93.184.216.34.http > 192.168.1.100.57891: Flags [.], ack 51, win 453, options [nop,nop,TS val 240953114 ecr 1924858403], length 0
16:32:41.512340 IP 93.184.216.34.http > 192.168.1.100.57891: Flags [P.], seq 1:1461, ack 51, win 453, options [nop,nop,TS val 240953115 ecr 1924858403], length 1460
16:32:41.512370 IP 192.168.1.100.57891 > 93.184.216.34.http: Flags [.], ack 1461, win 489, options [nop,nop,TS val 1924858405 ecr 240953115], length 0Each line of tcpdump output represents a single captured packet and includes several key details: the timestamp when the packet was captured, the protocol used (e.g., IP or ARP), the source and destination addresses (including IP and port numbers), TCP flags indicating the state of the connection (such as SYN, ACK, or FIN), sequence and acknowledgment numbers, the window size, TCP options (like MSS, SACK, and timestamps), and the packet’s payload length. For instance, in a line where the SYN flag is set, it signifies the start of a TCP handshake, and the presence of sequence and acknowledgment numbers helps track the order of packets. These details provide comprehensive insight into the network traffic, allowing for effective analysis and troubleshooting.
This table provides a clear and concise overview of the different fields in tcpdump’s output and their respective descriptions and example values.
| Field | Description | Example Value |
| Timestamp | The time when the packet was captured. | 16:32:41.508855 |
| Protocol | The protocol used for the packet (e.g., IP, ARP). | IP |
| Source Address | The IP address and port number of the packet’s sender. | 192.168.1.100.57891 |
| Destination Address | The IP address and port number of the packet’s recipient. | 93.184.216.34.http |
| Flags | TCP flags indicating the state of the connection (e.g., SYN, ACK, FIN, RST, PUSH). | Flags [S] |
| Sequence Number | The sequence number for tracking the order of packets. | seq 3787255693 |
| Acknowledgment Number | The acknowledgment number for tracking the order of packets. | ack 3787255694 |
| Window Size | The size of the sender’s receive window. | win 64240 |
| Options | Various TCP options, such as Maximum Segment Size (MSS), Selective Acknowledgment (SACK), and Timestamps. | options [mss 1460,sackOK,TS val 1924858400 ecr 0] |
| Payload Length | The length of the packet’s payload. | length 0 |
Most Commonly Used tcpdump Command Parameters
tcpdump offers a wide range of command parameters, but some are more frequently used due to their utility in common network analysis and troubleshooting tasks. Here are the most commonly used tcpdump command parameters:
| Command Line Parameter | Explanation |
|---|---|
| -n | Don’t resolve hostnames or well-known port numbers to their service. |
| -r file | Specify an existing pcap file to read from instead of a network interface. |
| -i interface | Specify from which network interface you would like tcpdump to sniff. This generally requires administrative permissions. |
| -D | Display interfaces |
| -w file | Specify a new pcap file to place filtered packets in. |
| -s snaplen | Snapshot length, or the number of bytes to capture per packet. Default is 262,144 bytes but this may vary across platforms. |
| -c count | Number of packets to capture before tcpdump automatically exits. |
| -X | Show packet contents in hexadecimal and ASCII. |
| -A | Prints each packet (minus its link-level header) in ASCII format. |
| -e | Display Ethernet header data. |
| -v | Display verbose output (Levels: -v, -vv. -vvv) |
| -# | Display line/packet number |
| expressions | Specify a Berkeley Packet Filter ( BPF ) statement to filter traffic |
Note: Some commands needs sudo privileges to be preformed
Using tcpdump for Packet Capture and Analysis -i, -r, -w
tcpdump’s primary function is to capture live network traffic from specified network interfaces. This captured data is invaluable for diagnosing network issues, monitoring traffic for security purposes, and investigating potential breaches. Additionally, tcpdump can save captured data into a pcap file for later analysis or share with other analysts.
For instance, to capture packets from a specific interface and save them to a file, the following command is used:
tcpdump -i eth0 -w capture.pcapThis command instructs tcpdump to capture packets from the eth0 interface and write them to a file named capture.pcap.
also, we can read a pre-capture pcap file using the following command:
tcpdump -r capture.pcapLimiting the Number of Packets to Capture with tcpdump -c
The -c option in tcpdump is used to specify the maximum number of packets to capture before tcpdump exits. This is particularly useful when you want to limit the amount of data collected during a packet capture session, either to keep the output manageable or to capture a specific event without creating excessively large files.
tcpdump -i eth0 -c 25Preventing Address Name Resolution with the -n Option in tcpdump
The -n option in tcpdump is used to prevent the conversion of IP addresses and port numbers into hostnames and service names. By default, tcpdump attempts to resolve these addresses to make the output more readable, but this can introduce delays and may not always be necessary or desired.
tcpdump -i eth0 -nHere is an output example:
Without the -n option, tcpdump might display output like this
16:32:41.508855 IP mypc.local.57891 > example.com.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0With the -n option, the same packet would be displayed without resolving the addresses:
16:32:41.508855 IP 192.168.1.100.57891 > 93.184.216.34.80: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0Another common option is -nn, this option prevents tcpdump from converting protocol and port numbers to names:
tcpdump -i eth0 -nnVerbose Output with the -v Option in tcpdump
The -v option in tcpdump stands for “verbose” mode. It increases the amount of detail shown in the output, which can be invaluable for in-depth network analysis and troubleshooting. By adding more v characters (e.g., -vv or -vvv), you can further increase the verbosity, revealing even more details about each packet.
Levels of Verbosity
tcpdump provides different levels of verbosity to control the amount of detail in the output. Here are the levels:
Default (No -v Option)
- Basic output with minimal details.
- Shows source and destination IP addresses and ports, protocol, and a summary of the packet.
Single -v
Provides basic verbose output, showing additional details such as the IP header, TTL (Time to Live), and total packet length.
tcpdump -i eth0 -v
16:32:41.508855 IP (tos 0x0, ttl 64, id 45012, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0This includes:
- Type of Service (tos)
- Time to Live (ttl)
- Packet ID (id)
- Fragment offset (offset)
- Flags (DF – Don’t Fragment)
- Protocol (proto)
- Total length of the packet
Double -vv
Further increases verbosity, including additional details like the TCP options (MSS, SACK, etc.) and more.
tcpdump -i eth0 -vv
16:32:41.508855 IP (tos 0x0, ttl 64, id 45012, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c afcc 4000 4006 b1e6 c0a8 0164 E..<..@.@......d
0x0010: 5db8 d822 e1a3 0050 e1a3 96ad 0000 0000 ].."...P........
0x0020: a002 fff0 fe30 0000 0204 05b4 0402 080a .....0..........
0x0030: 72f4 12a0 0000 0000 0103 0307 r...........This output includes:
- Hexadecimal and ASCII representations of the packet’s data
- Detailed breakdown of the TCP header and options
Triple -vvv
Maximum verbosity, including comprehensive details about each packet, such as full decoding of various protocols, additional header information, and detailed flag settings.
tcpdump -i eth0 -vvv
16:32:41.508855 IP (tos 0x0, ttl 64, id 45012, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.57891 > 93.184.216.34.http: Flags [S], seq 3787255693, win 64240, options [mss 1460,sackOK,TS val 1924858400 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c afcc 4000 4006 b1e6 c0a8 0164 E..<..@.@......d
0x0010: 5db8 d822 e1a3 0050 e1a3 96ad 0000 0000 ].."...P........
0x0020: a002 fff0 fe30 0000 0204 05b4 0402 080a .....0..........
0x0030: 72f4 12a0 0000 0000 0103 0307 r...........
MSS option: 1460 bytes
SACK option permitted
Timestamps: 1924858400 and 0
Window scale: 7This output includes:
- IP Header Information:
- Type of Service (tos): Default service (0x0).
- Time to Live (ttl): Maximum hops (64).
- Packet ID (id): Identification number (45012).
- Fragment offset: Indicates no fragmentation (0).
- Flags: Don’t Fragment ([DF]).
- Protocol (proto): TCP (protocol number 6).
- Total length: Packet length (60 bytes).
- Packet Route and Flags:
- Source IP and port:
192.168.1.100.57891. - Destination IP and port:
93.184.216.34.http(http indicating port 80). - Flags: TCP SYN flag ([S]), indicating the start of a handshake.
- Sequence number (seq):
3787255693. - Window size (win): Flow control size (64240).
- TCP options: MSS, SACK, Timestamps, etc.
- Payload length: Length of packet payload (0 bytes).
- Source IP and port:
- Hex and ASCII Representation of Packet Data:
- Hexadecimal and ASCII representation of the packet’s IP header, TCP header, and data payload.
- TCP Options Details:
- MSS option: Maximum Segment Size (1460 bytes).
- SACK option: Selective Acknowledgment permitted.
- Timestamps: Value (1924858400) and Echo Reply (0).
- Window scale: Scale factor (7).
Displaying Available Interfaces with the -D Option in tcpdump
The -D option in tcpdump is used to display a list of all available network interfaces on the system. This is particularly useful when you need to determine the exact interface name to use for packet capturing, especially on systems with multiple network interfaces.
tcpdump -D
1.eth0
2.lo
3.wlan0
4.any (Pseudo-device that captures on all interfaces)
5.bluetooth-monitor (Bluetooth Linux Monitor)
6.nflog (Linux netfilter log (NFLOG) interface)
7.nfqueue (Linux netfilter queue (NFQUEUE) interface)Before starting a packet capture, you can use the -D option to determine the available interfaces and their names, this option can be usfeul to ensures that you select the correct interface for packet capturing, especially in environments with multiple network interfaces. This option simplifies the process of setting up a packet capture session, making it an essential feature for effective network analysis and troubleshooting.
Specifying Snapshot Length with the -s Option in tcpdump
The -s option in tcpdump allows you to specify the snapshot length, which is the number of bytes to capture from each packet. By default, tcpdump captures up to 262144 bytes of each packet, but you can adjust this length based on your needs. The snapshot length determines how much of the packet’s data is captured and stored.
tcpdump -i eth0 -s 128Explanation and Practical Uses of -s option
Default Behavior:
By default, tcpdump captures up to 262144 bytes of each packet. This is usually sufficient to capture entire packets, including their payloads.
Reducing Snapshot Length:
Reducing the snapshot length can be useful when you are only interested in capturing the packet headers and not the payload. This can save storage space and reduce the amount of data you need to process.
tcpdump -i eth0 -s 64Increasing Snapshot Length:
In some cases, you might need to capture more than the default length, especially if you are dealing with large packets. Increasing the snapshot length ensures that you capture the entire packet.
tcpdump -i eth0 -s 1024Ofcourse we can compile -s with other options to capture with Increased Snapshot Length and get more detailed analysis
tcpdump -i eth0 -s 2048 -c 1000Printing Packets in ASCII Format with the -A Option in tcpdump
The -A option in tcpdump is used to print each packet’s contents in ASCII format, excluding the link-level header. This is particularly useful for analyzing the payload of packets, especially when dealing with text-based protocols such as HTTP, SMTP, or DNS.