Tcpdump Command Examples
Tcpdump is a powerful command-line packet analyzer that allows users to intercept and display TCP/IP and other packets being transmitted or received over a network. It's an essential tool for network troubleshooting, security analysis, and understanding network behavior.
Basic Packet Interception
Intercepting all packets on a specific network interface is a fundamental use case. The -i flag specifies the interface.
# Intercepts all packets on eth0
tcpdump -i eth0Filtering Traffic by Host
You can easily filter traffic to and from specific IP addresses. This is crucial for isolating communication related to a particular server or client.
# Intercepts all packets from/to 173.194.40.120 (e.g., google.com)
tcpdump host 173.194.40.120Advanced Filtering with Port and Host
Combine host and port filters for more precise traffic capture. The -nn option prevents name resolution, showing raw IP addresses and port numbers.
# Intercepts all packets on all interfaces from / to 173.194.40.120 port 80
# -nn => Disables name resolution for IP addresses and port numbers.
tcpdump -nn -i any host 173.194.40.120 and port 80Analyzing Packet Content with Grep and Ngrep
To inspect the actual data within packets, you can pipe tcpdump's output to tools like grep or use ngrep directly. The -A flag shows packet content in ASCII.
# Make a grep on tcpdump (ASCII)
# -A => Show only ASCII in packets.
# -s snaplen => Capture only snaplen bytes of data from each packet.
# By default, tcpdump captures 262144 bytes.
# Packets truncated because of a limited snapshot are indicated in the
# output with '[|protocol]'.
tcpdump -i any -A host 173.194.40.120 and port 80 | grep 'User-Agent'
# With ngrep
# -d eth0 => To force eth0 (else ngrep work on all interfaces)
# -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
ngrep 'User-Agent' host 173.194.40.120 and port 80Capturing Traffic to Multiple Hosts or Ports
Tcpdump supports complex filtering logic using parentheses and logical operators like or and and.
# Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80
tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i anyFiltering TCP Flags
Tcpdump allows filtering based on TCP flags, which is essential for analyzing connection states.
# Intercepts all packets SYN and FIN of each TCP session.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
# To display SYN and FIN packets of each TCP session to a host that is not on our network
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'
# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'Saving and Reading Captured Data
You can save captured packets to a file for later analysis using the -w flag and read from a capture file with the -r flag.
# Saving captured data
tcpdump -w file.cap
# Reading from capture file
tcpdump -r file.capDisplaying Packet Content in Hexadecimal
Viewing packet data in hexadecimal format can be useful for deep inspection.
# Show content in hexa
# Change -x to -xx => show extra header (ethernet).
tcpdump -x
# Show content in hexa and ASCII
# Change -X to -XX => show extra header (ethernet).
tcpdump -XUnderstanding Packet Matching Syntax
Tcpdump offers a flexible syntax for defining packet filters. Here are some common examples for port and host matching:
# Note on packet matching:
# Port matching:
# - portrange 22-23
# - not port 22
# - port ssh
# - dst port 22
# - src port 22
#
# Host matching:
# - dst host 8.8.8.8
# - not dst host 8.8.8.8
# - src net 67.207.148.0 mask 255.255.255.0
# - src net 67.207.148.0/24
Further Resources
For more in-depth information and advanced usage, consult the official tcpdump documentation and related network analysis resources.