Code Review In Seconds

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Tcpdump - Network Packet Capture Tool

Learn how to use tcpdump for network packet capture and analysis. This guide covers basic and advanced usage with practical examples for network troubleshooting and security.

Tcpdump - Network Packet Capture Tool

Basic Tcpdump Usage

Tcpdump is a powerful command-line packet analyzer. Here are some fundamental commands to get you started with capturing network traffic.

###############
# Basic Usage #
###############

# Capture packets on a particular interface (eth0)
# Note that tcpdump (without the '-i eth0') is also valid if you are only using one interface
tcpdump -i eth0

# Capture packets with more detailed output
tcpdump -i eth0 -nnvvS

# Display captured packets in both HEX and ASCII format
tcpdump -XX -i eth0

# Write captured packets into a file (can be read by tools such as Wireshark, Snort, etc)
tcpdump -w yourfilename.pcap -i eth0

# Read packets from a saved packet capture file
tcpdump -tttt -r yoursavedfile.pcap

# Display IP addresses instead of hostnames when capturing packets
tcpdump -n -i eth0

# Capture packets from a particular source/destination IP address
tcpdump src 192.168.1.1
tcpdump dst 192.168.1.1

# Capture packets from a particular source/destination port number
tcpdump src port 53
tcpdump dst port 21

# Capture an entire network's traffic using CIDR notation
tcpdump net 192.168.1.0/24

# Capture traffic to or from a port
tcpdump port 3389

# Display captured packets above or below a certain size (in bytes)
tcpdump less 64
tcpdump greater 256

Advanced Tcpdump Filtering and Usage

Tcpdump allows for complex filtering to pinpoint specific network traffic. Combine conditions using logical operators for precise analysis.

##################
# Advanced Usage #
##################

# More complex statements can be formed with the use of logical operators: and(&&), or(||), not(!)
# Examples:

# Capture all traffic from 192.168.1.10 with destination port 80 (with verbose output)
tcpdump -nnvvS and src 192.168.1.10 and dst port 80

# Capture traffic originating from the 172.16.0.0/16 network with destination network 192.168.1.0/24 or 10.0.0.0/8
tcpdump src net 172.16.0.0/16 and dst net 192.168.1.0/24 or 10.0.0.0/8

# Capture all traffic originating from host H1 that isn't going to port 22
tcpdump src H1 and not dst port 22

# With some complex queries you may have to use single quotes to ignore special characters, namely parentheses
# Capture traffic from 192.168.1.1 that is destined for ports 80 and 21
tcpdump 'src 192.168.1.1 and (dst port 80 or 21)'

Understanding Tcpdump Output

The output of tcpdump can be detailed, showing timestamps, protocols, source and destination addresses, and more. Understanding these fields is crucial for effective network diagnostics.

Tcpdump for Network Security

Tcpdump is an invaluable tool for network security professionals. It can be used to detect suspicious activity, analyze malware communication, and verify network security policies.

Further Resources

For more in-depth information and advanced usage, consult the official tcpdump documentation and related network analysis resources.

← Back to security cheatsheets All cheatsheets 🙏  Credits & Acknowledgments