Tcpdump is one of the open source tools like Wireshark for network traffic monitoring. Just like in Wireshark, we can dump network traffic using Tcpdump. This tool is easily available in debian like kali Linux. TCPdump is command-line packets sniffer or you can also say as package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interfaces.
TCPdump also gives you an option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by TCPdump command or an open source GUI based tool like Wireshark that reads TCPdump pcap format files.
How to install tcpdump in Ubuntu/Debian?
You can install tcpdump in Kali linux by using following commands.
$ sudo apt install tcpdump
The general syntax for the tcpdump command is as follows:
$ tcpdump [options] [expression]
- The command options allow you to control the behavior of the command.
- The filter expression defines which packets will be captured.
To dump the traffic we can you different commands
To capture packets from a particular Ethernet interface
When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular Ethernet interface.
$ tcpdump -i [interface name]
$ tcpdump -i eth1
Above tcpdump captured all the packets flows in the interface eth1 and displays in the standard output. Where ‘-i’ = interface
Note: Editcap utility is used to select or remove specific packets from dump file and translate them into a given format.
To capture only N number of packets
When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.
$ tcpdump -c 2 -i eth0
Above tcpdump command captured only 2 packets from interface eth0. Where ‘-c’ specify the number of packets to be captured.
Note: Mergecap and TShark: Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with Wireshark network analyzer distribution.
To display captured packets in ASCII
When you want to the packets in ASCII, then you can execute the command.
$ tcpdump -A -i eth0
To display captured packets in HEX and ASCII
When you want to the packets in hex values. tcpdump provides you a way to print packets in both ASCII and HEX format.
$tcpdump -XX -i eth0
To Reading and write the capture packets into a file
tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.
$ tcpdump -w <File Name>.pcap -i eth0
-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol analyzer.
$ tcpdump -r <file_name>.pcap
By using ‘-r’ option that stands for “read”.
To find all network interfaces
When you want to fetch the list of all available network interfaces, we can use the command:
$ tcpdump -D
Use ‘-D‘ option to display all the available interfaces for tcpdump command.
To capture all network packets
To capture all the inbound and outbound network packets we can use ‘any’ option to capture data packets that go through all network interfaces. This can be done by using the interface option ‘-i’.
$ tcpdump -v -i any
To capture packets of a protocol-specific
When you want to capture packets belonging to a particular network protocol, we can append the name of the protocol at the end. You can specify one of these protocols: wlan, ip, ip6, Arp, tcp and udp etc.
$ tcpdump -i any tcp
The following example captures only arp packets flowing through the eth0 interface.
$ tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
To capture host-specific packets
To capture the host specific packets, for that we can use ‘host’ keyword along with ‘tcpdump’, we can filter all the packets that are exchanged with a particular host.
$ tcpdump -nn -c 5 -i any host X.X.X.X
‘-nn’, specify to translates the hostnames to their numeric Internet addresses.
Note: The packets appear only if there is an actual network connection with the specific IP address.
To capture the packet from particular Source or Destination.
To capture the packet from particular Source or Destination We can use option ‘src’ (source) followed by an address.
$ tcpdump -nn -c 5 -i any src X.X.X.X
For destination-specific query, ‘dst’ is used.
$ tcpdump -nn -c 5 -i any dst X.X.X.X
To receive packets flows on a particular port using tcpdump port
We can capture all the packets received by a particular port on a machine, to capture the packet we can used tcpdump command.
$ tcpdump -i eth0 port 21
To Capture packets for particular destination IP and Port
When we have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. To captures packets flows though network interface (eth0), with a particular destination ip (X.X.X.X) and specific port number 21.
$ tcpdump -w xpackets.pcap -i eth0 dst X.X.X.X and port 21
To Capture TCP communication packets between two hosts
If there is two different process from two different machines are communicating and they using tcp protocol for communication, then we can capture those packets using tcpdump using command.
$ tcpdump -w comm.pcap -i eth0 src X.X.X.X and port 21 and dst X.X.X.X and port 21
Capturing only IP address packets on a specific Interface
By Using -n option in tcpdump command we can capture only IP address packets on specific interface, example is shown below,
$ tcpdump -n -i eth0
Author: Sujay Chaurasia, Director, Cybersecurity, Development and DevOps, GRhombus Technologies
