UNIX Tools: tcpdump – packet analysis tool

tcpdump is a common network packet analyzer that runs under the command line. It allows the user to intercept and display packets being transmitted or received over a network to which the computer is attached. tcpdump is mandatory for anyone desiring a thorough understanding of TCP/IP.

tcpdump works on most Unix-like operating systems: BSD, Linux, Mac OS X, Solaris, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets. There is also a port of tcpdump for Windows called WinDump and it uses WinPcap, which is a port of libpcap to Windows.

tcpdump basic options

-i any  : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-s : Set the amount of data that is being captured in bytes
-c : Only capture x number of packets, example: 'tcpdump -c 5'
-E : Decrypt IPSEC traffic by providing an encryption key.

Check the manual 'man tcpdump' for a complete list of options.

tcpdump usage

Below are a few options you can use to control the output. The examples given will be in the basic form ( basic + recipes ), so remember to add your own options as needed.

Basic

Do not resolve hostnames; print absolute sequence numbers:

tcpdump -nS

Do not resolve hostnames or port names with verbosity:

# tcpdump -nnvvS

A deeper look at the traffic (  adds -X for payload but doesn't grab any more of the packet ) :

# tcpdump -nnvvXS

Heavy packet viewing  ( "s" increases the amount of data that is being captured in bytes; grabbing the whole packet) :

# tcpdump -nnvvXSs 1514

Recipes

host ( look for traffic based on IP address or hostname if you are not using '-n' ) :

tcpdump host 192.168.1.1

src, dst ( find traffic from only a source or destination hostname or IP ) :

tcpdump src 192.168.1.2
tcpdump dst 10.1.1.2

net ( capture an entire network using CIDR notation) :

# tcpdump net 192.168.1.0/24

port ( see only traffic to or from a certain port ) :

# tcpdump port 1234

proto ( works for tcp, udp, and icmp protocols. Note that you don't have to type proto ) :

# tcpdump tcp

src, dst port ( see the traffic based on source or destination port ) :

# tcpdump src port 1234
# tcpdump dst port 1235

Examples

View TCP traffic from 192.168.1.2 and destination port 1234:

tcpdump tcp and src 192.168.1.2 and dst port 1234

View the Non-ICMP traffic destined for 192.168.1.3 from the 172.16 network:

tcpdump dst 192.168.1.3 and src net 172.16.0.0/16 and not icmp

View the traffic originating from the 192.168 network headed for the 10 or 172.16 networks:

tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

View the traffic that's from 192.168.1.4 and destination ports 1234 or 1235:

tcpdump 'src 192.168.1.4 and \(dst port 1234 or 1235\)'

View the traffic originating from host1 or host2 that isn't to the SSH port:

tcpdump -vv srchost1 or host2 and not dst port 22