Tcpdump is one of those commands that is incredibly useful when you need it but for most of us it isn’t something we use every day. If you’re anything like me, you type in how you think the command is supposed to go, press enter only to see “tcpdump: syntax error” pop up before promptly returning to one of the 20 Google tabs you have open. There’s a couple of posts that I’ve been working on that reference tcpdump quite heavily, so I figured I’d write this one first and hopefully by doing so, commit these commands to my memory and also have a post that may prove useful to you.
I’m not going to go over everything you can do with tcpdump as we’d be here rather a while, instead I’m going to cover the things I find myself using the most and a bit about how you can combine those elements in useful ways.
The Starting Point
It seems logical to start with the tcpdump command itself, just running “tcpdump” will prompt it to use the “lowest numbered, configured up interface (excluding loopback)” on the system. I’ve made it a habit to always specify the interface I wish to use to avoid potentially confusing results. You can specify the interface using the -i flag:
tcpdump -i eth0
Next up, we’ve got the capture files, these are incredibly useful as it allows you to save captured packets for later analysis using a program such as Wireshark (or tcpdump itself). You can tell tcpdump to save the packets by specifying a file using the -w flag.
tcpdump -i eth0 -w PacketCapture.pcap
tcpdump affords you great control over which packets you capture, it lets you specify which hosts, ports, and protocols you wish to capture or exclude. There’s various filters you can use.
IP Address Filtering
You can filter based on a singular IP, multiple IPs or a range by using the
The host filter is used for singular IP addresses like so:
tcpdump -i eth0 host 22.214.171.124
…and the net filter is used like so:
tcpdump -i eth0 net 192.168.1.0/24
tcpdump -i eth0 net 10.10.0.0/16
port filter allows you to specify ports by number or by name, here’s a couple of examples:
tcpdump -i eth0 port 123
tcpdump -i eth0 port ntp
tcpdump -i eth0 port ssh
tcpdump -i eth0 port https
You can also specify a port range using the
tcpdump -i eth0 portrange 1000-2000
This is a surprisingly useful filter, it lets you specify which protocols you wish to capture. There’s quite the list of protocols that you can specify, I only really ever use TCP, UDP, ICMP and ARP.
tcpdump -i eth0 tcp
tcpdump -i eth0 icmp
You can also specify whether you want to capture only IPv4 or IPv6 by using
tcpdump -i eth0 ip
tcpdump -i eth0 ip6
Source and Destination
This is where tcpdump starts to get slightly confusing, you can refine, combine, and exclude filters. First off, let’s cover the
dst filters. These can be used to further narrow down the results of the port and IP filters, here’s a couple of examples:
tcpdump -i eth0 src port https
tcpdump -i eth0 dst host 126.96.36.199
tcpdump -i eth0 src net 192.168.1.0/24
Next, we have the operators to combine filters, and create exclude filters. These are the following:
First off, we have the
and operator, it’s used to further narrow down what is captured, and can be used like so:
tcpdump -i ens3 src host 188.8.131.52 and src port 123
We also have the
or operator which I personally use more than the
and. It can be used to specify multiple ports and hosts or networks. tcpdump is fairly flexible in how you write the filters, here’s a couple of ways to achieve the same result:
tcpdump -i eth0 host '(184.108.40.206 or 220.127.116.11)'
tcpdump -i eth0 host 18.104.22.168 or host 22.214.171.124
And this would capture traffic going to
or from either port 123 or 53:
tcpdump -i eth0 port ntp or port 53
You could even do something like this (though I’m not sure why you’d want to):
tcpdump -i ens3 src net 126.96.36.199/8 or dst portrange 1000-2000
Finally, we have the
not operator, this is used to turn a filter into an exclude filter. Let’s say for example, we wanted to capture everything except our SSH session, for that we could do this:
tcpdump -i eth0 not port ssh
If we were running a NTP server on that device, then we could also exclude the traffic from that:
tcpdump -i eth0 not port ssh and not port ntp
…or if we wanted to be slightly tidier then we could do:
tcpdump -i eth0 not port '(ssh or ntp)'
Other Useful Flags
There’s a couple of other flags which are rather useful, the one I use the most is the
-n flag. This stops tcpdump from resolving the IP addresses into hostnames (which requires an on-the-fly DNS lookup for each IP it captures). You can take it one step further by using
-nn which will also stop tcpdump from resolving portnames.
tcpdump -i eth0 -n
There’s also the
-c flag which allows you to specify how many packets you wish to capture.
tcpdump -i eth0 -c 1000
Finally, you can make the output more verbose by using the
-v flag, it will increase the amount of information shown based on the level of the flag you use
tcpdump -i eth0 -vvv
Well, that’s all for this one
I don’t think this is the kind of post you’d read whilst enjoying a cup of Tea on a Saturday morning, but I hope that it proves useful when you need it. I know that I for one will be quite happy if I don’t have to think about tcpdump again for a while.
Short link: on-te.ch/tcpd