Network Traffic Capture In Linux – tcpdump Examples
Linux tcpdump
tcpdump is a tool used for network packet capturing or packet analyzer that works most of the unix like operating systems. Also you can call as packet sniffer, it operates on packet level. It allows user to capture and displays TCP/IP and other packets being transmitted or received over network to which computer is attached. Tcpdump tools allows us to save captured packets on to a file, and later on file can be viewed by the same tcpdump command. you can save whole packets or part of the packet (header). This tool is useful for debugging network related programmes.
Running tcpdump tool require root access is required. If you run tcpdump command without argument, it will capture only first interface.
Example:1
[root@localhost ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:40:05.476058 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 1332790522:1332790638(116) ack 1730983578 win 9648
20:40:05.540049 IP 192.168.1.115.timbuktu-srv2 > 192.168.1.100.ssh: . ack 116 win 65143
20:40:05.540063 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 116:232(116) ack 1 win 9648
20:40:05.479050 IP 192.168.1.100.filenet-nch > 218.248.255.139.domain: 48326+ PTR? 115.1.168.192.in-addr.arpa. (44)
20:40:05.510808 IP 218.248.255.139.domain > 192.168.1.100.filenet-nch: 48326 NXDomain 0/1/0 (121)
By default tcpdump produces one line of text per every packet it intercepts. Each line starts with a time stamp and tells when packet is arrived.
a) Time of packet arival 20:40:05.476058
b) Protocol Name:- IP tcpdump understands very limited number of protocols. It wont tell you the difference between packets belonging to HTTP and for instance FTP stream. Instead, it will mark such packets as IP packets. It does have some limited understanding of TCP. For instance it identifies TCP synchronization packets such as SYN, ACK, FIN.
c) Source and Destination IP address (192.168.1.100.ssh > 192.168.1.115) : For IP packets, these are IP address. For other protocols, tcpdump does not print any identifiers unless explicitly asked to do so.
d) Information about the Packets:- (: P 1332790522:1332790638(116) ack 1730983578 win 9648 For instance, it prints TCP sequence number.
Example :2 Packet Capturing for selected Interface.
[root@localhost ~]# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:54:42.574296 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 1333246686:1333246802(116) ack 1730991782 win 12456
20:54:42.631981 IP 192.168.1.100.ssh > 192.168.1.115.timbuktu-srv2: P 116:232(116) ack 1 win 12456
With above command, we can dump the how many packets arrived and sent through a eth0 interface.
Example :3 Ignoring the packets belong to particular service. Here we are ignoring the ssh service packets.
[root@localhost ~]# tcpdump -i eth0 not port 22
Example : 4
[root@localhost ~]# tcpdump -c 10 -i eth0
It tells tcpdump to limit number of packets it intercepts. You can specify number of packets you want see. Tcpdump will capture that number of packets and exit.
Example: 5
[root@localhost ~]# tcpdump -ni eth0 -c 10 not port 22
Above Command limit number of packets it intercepts to 10 and ignores the packets belonging to the port number 22.
Example : 6 Saving captured packets to a files
[root@localhost ~]# tcpdump -w aloft.cap -s 0
By defaults, when capturing packets into a file, it will save only 68 bytes of the data from the each packet. Rest of the information is ignored.
In above command, switch –s tells tcpdump how many bytes for each packet to save and specifying 0 as packets snapshot length tells tcpdump to save whole packet.
Example: 7 Reading from captured file
[root@localhost ~]# tcpdump -r aloft.cap
reading from file file.cap, link-type EN10MB (Ethernet)
21:06:27.179580 IP 192.168.1.100.ssh > 192.168.1.115.triquest-lm: P 174443707:174443759(52) ack 315242176 win 9648
Above Command will read the captured packets from the file.
Example: 8
To watch all incoming HTTP requests on interface eth0:
[root@localhost ~]#tcpdump -i eth0 dst port 80
Example: 9
To will capture the first 25 packets on eth0 and then quit.
[root@localhost ~]# tcpdump -i eth0 -c 25 -n
Example: 10
To display all ICMP packets sent on eth0:
[root@localhost ~]#tcpdump icmp -i eth0
Category: Linux Administration
Subscribe
If you enjoyed this article, subscribe to receive more just like it.
