A Quick Look at How to use the TCPdump Command

A Quick Look at How to use the TCPdump Command

Tcpdump is one of those commands that is incredibly useful when you need it but for most of us it isn't something we use every day. If you're anything like me, you type in how you think the command is supposed to go, press enter only to see "tcpdump: syntax error" pop up before promptly returning to one of the 20 Google tabs you have open. There's a couple of posts that I've been working on that reference tcpdump quite heavily, so I figured I'd write this one first and hopefully by doing so, commit these commands to my memory and also have a post that may prove useful to you.

I'm not going to go over everything you can do with tcpdump as we'd be here rather a while, instead I'm going to cover the things I find myself using the most and a bit about how you can combine those elements in useful ways.

The Starting Point

It seems logical to start with the tcpdump command itself, just running "tcpdump" will prompt it to use the "lowest numbered, configured up interface (excluding loopback)" on the system. I've made it a habit to always specify the interface I wish to use to avoid potentially confusing results. You can specify the interface using the -i flag:

tcpdump -i eth0

Capture Files

Next up, we've got the capture files, these are incredibly useful as it allows you to save captured packets for later analysis using a program such as Wireshark (or tcpdump itself). You can tell tcpdump to save the packets by specifying a file using the -w flag.

tcpdump -i eth0 -w PacketCapture.pcap

Filtering

tcpdump affords you great control over which packets you capture, it lets you specify which hosts, ports, and protocols you wish to capture or exclude. There's various filters you can use.

IP Address Filtering

You can filter based on a singular IP, multiple IPs or a range by using the host or net filters.

The host filter is used for singular IP addresses like so:

tcpdump -i eth0 host 1.2.3.4

...and the net filter is used like so:

tcpdump -i eth0 net 192.168.1.0/24
tcpdump -i eth0 net 10.10.0.0/16

Port Filtering

The port filter allows you to specify ports by number or by name, here's a couple of examples:

tcpdump -i eth0 port 123
tcpdump -i eth0 port ntp

tcpdump -i eth0 port ssh
tcpdump -i eth0 port https

You can also specify a port range using the portrange filter:

tcpdump -i eth0 portrange 1000-2000

Protocol Filtering

This is a surprisingly useful filter, it lets you specify which protocols you wish to capture. There's quite the list of protocols that you can specify, I only really ever use TCP, UDP, ICMP and ARP.

tcpdump -i eth0 tcp
tcpdump -i eth0 icmp

You can also specify whether you want to capture only IPv4 or IPv6 by using ip and ip6.

tcpdump -i eth0 ip
tcpdump -i eth0 ip6

Augmenting Filters

Source and Destination

This is where tcpdump starts to get slightly confusing, you can refine, combine, and exclude filters. First off, let's cover the src and dst filters. These can be used to further narrow down the results of the port and IP filters, here's a couple of examples:

tcpdump -i eth0 src port https
tcpdump -i eth0 dst host 1.2.3.4tcpdump -i eth0 src net 192.168.1.0/24`

Logical Operators

Next, we have the operators to combine filters, and create exclude filters. These are the following: and, or and not.

And

First off, we have the and operator, it's used to further narrow down what is captured, and can be used like so:

tcpdump -i ens3 src host 1.2.3.4 and src port 123

or

We also have the or operator which I personally use more than the and. It can be used to specify multiple ports and hosts or networks. tcpdump is fairly flexible in how you write the filters, here's a couple of ways to achieve the same result:

tcpdump -i eth0 host '(1.2.3.4 or 4.3.2.1)'
tcpdump -i eth0 host 1.2.3.4 or host 4.3.2.1

And this would capture traffic going to or from either port 123 or 53:

tcpdump -i eth0 port ntp or port 53

You could even do something like this (though I'm not sure why you'd want to):

tcpdump -i ens3 src net 123.0.0.0/8 or dst portrange 1000-2000

not

Finally, we have the not operator, this is used to turn a filter into an exclude filter. Let's say for example, we wanted to capture everything except our SSH session, for that we could do this:

tcpdump -i eth0 not port ssh

If we were running a NTP server on that device, then we could also exclude the traffic from that:

tcpdump -i eth0 not port ssh and not port ntp

...or if we wanted to be slightly tidier then we could do:

tcpdump -i eth0 not port '(ssh or ntp)'

Other Useful Flags

There's a couple of other flags which are rather useful, the one I use the most is the -n flag. This stops tcpdump from resolving the IP addresses into hostnames (which requires an on-the-fly DNS lookup for each IP it captures). You can take it one step further by using -nn which will also stop tcpdump from resolving portnames.

tcpdump -i eth0 -n

There's also the -c flag which allows you to specify how many packets you wish to capture.

tcpdump -i eth0 -c 1000

Finally, you can make the output more verbose by using the -v flag, it will increase the amount of information shown based on the level of the flag you use -v, -vv or -vvv

tcpdump -i eth0 -vvv

Well, that's all for this one

I don't think this is the kind of post you'd read whilst enjoying a cup of Tea on a Saturday morning, but I hope that it proves useful when you need it. I know that I for one will be quite happy if I don't have to think about tcpdump again for a while.

Short link: on-te.ch/tcpd

Owen Nelson

Owen Nelson

https://owennelson.co.uk

IT Systems Administrator from Northamptonshire, UK. Always on the lookout for ways to make things faster and more secure - and I enjoy getting through a fair bit of Tea along the way.

View Comments