In the modern era, if users work on the internet, network issues are very common. It is challenging to troubleshoot and resolve these problems. For that purpose, the “tcpdump” utility is used. The tcpdump is the packet analyzer that filter, capture, and analyze network problems such as UDP, TCP/IP, etc. This post will demonstrate a detailed guide to tcpdump with examples.
The content for the post is:
Let’s start with the prerequisite (which is installation) of this guide.
Installation of tcpdump
The tcpdump comes pre-installed in most Linux distributions. To check it, type the which command in the terminal:
$ which tcpdump
If the which command prints the path of the tcpdump that means it is already installed.
Suppose the “tcpdump” command is unavailable. In that case, you can install it using the given command:
For Debian/Ubuntu
$ sudo apt install tcpdump
For RHEL/ CentOS
$ sudo dnf install tcpdump
Let’s move and check the use of the tcpdump command in Linux.
How to Use tcpdump in Linux?
There are various options that are considered with the tcpdump command. Few are implemented in the below examples.
Example 1: Getting the List of Interfaces
To list down all the interfaces available in the system is obtained as follows:
$ sudo tcpdump -D
All the interfaces have been listed down.
Example 2: Getting Packets From Active Interface
To get the packets (a small segment of the message) from all the active interfaces, run the given command in the terminal:
$ sudo tcpdump --interface any
The above command has started receiving packets from all the interfaces that are active, this process continues until we stop it manually.
Example 3: Limiting the Number of Captured Packets
Users can limit the number of packets received from the interfaces. To do so, use the “-c” flag with the number of packets received. Here we are limiting the to 5 packets:
$ sudo tcpdump -i any -c5
The 5 five packets have been captured as shown above.
Example 4: Disabling the Port Names
By default, the tcpdump command captures the packets with IP addresses and port names. These port names can be disabled using the “-n” or “-nn” option for a better understanding of the output:
$ sudo tcpdump -i any -c5 -nn
The names of the ports are disabled.
Example 5: Capturing Packets From Host
Users can also use the tcpdump utility for getting the packets from the specific host. Type the IP address of the hostname in the given command:
$ sudo tcpdump -i any -c4 host 192.168.64.1
The four packets have been captured from the host “192.168.1.1” as described in the command.
Example 6: Capturing Packets For Specific Protocols
The tcpdump command can be used for specific protocols such as UDP, ARP, and TCP/IP. To receive the packets for UDP Protocol is obtained as follows:
$ sudo tcpdump -i any -c3 udp
The above image shows that only packets will be received that belong to the UDP protocol.
Example 7: Storing Captured Data in File
To store the captured packets in a file use the “w” flag and specify the file name with the extension of “.pcap” which means “Packets Captured“. Check the execution of the below command:
$ sudo tcpdump -i any -c5 -w Captured_Packets.pcap
The packets are stored in the “Captured_Packets” file that can be seen using the “ls” command:
$ ls
Example 8: Reading Captured Data in File
To read the captured data of the file using the “-r” flag with tcpdump command. Lets’ read the file that is created in the above example:
$ tcpdump -r Captured_Packets.pcap
The data of the “Captured_Packets” file has been displayed.
Example 9: Displaying Captured Data in HEX and ASCII
To display the output of the captured packets in HEX and ASCII code use the “-xx” option:
$ sudo tcpdump -i any -xx
The above image represents that output is in the HEX and ASCII code.
Example 10: Displaying Captured Data in ASCII Only
To print the output of the captured packets in ASCII only use the “-A” flag in the command:
$ sudo tcpdump -i any -A
The output is printed in ASCII.
For more information and usage, run the help command with tcpdump in the terminal:
$ tcpdump --help
The help command displays all the possible options for the tcpdump command.
That’s it from this detailed guide on tcpdump.
Conclusion
In Linux, the tcpdump is a utility to diagnose and resolve network-related issues. Various options are used with the tcpdump command for troubleshooting the network. This post has briefly illustrated the installation process and the usage of the tcpdump command with help of examples.
