40 Tcpdump commands with examples on Linux (Updated 2019)

(adsbygoogle = window.adsbygoogle || []).push({});

Introduction:

Capturing packets by running tcpdump command with options and arguments is very easy and much necessary while it comes to any network related issues. By reading commands and options yes we can able to run tcpdump command to capture incoming or outgoing traffics by filtering protocols, ports, source, and destinations. But how we will understand each and every line?.

To understand each line it’s better we need to have a strong understanding of control bits section of TCP headers. Here are they as follows.

SYN, ACK, FIN, CWR, ECE, URG, PSH, RST

Well, we are not going to discuss all headers, Just for example, while we try to print any TCP packet it will send 3 way of handshake protocol whenever it starts a new connection.

  1. A guy from Source will send an SYN to the destination.
  2. The guy in Destination will respond with SYN, ACK that he has received the source guys information.
  3. Again the source guy will send ACK response by saying “Yes I got your confirmation”.

Hope you understand little how to read and understand the tcpdump output.

Capture dumps using tcpdump

Let us capture some traffic, Here my interface name is ens33.

[root@rhel ~]# tcpdump -D
1.nflog (Linux netfilter log (NFLOG) interface)
2.nfqueue (Linux netfilter queue (NFQUEUE) interface)
3.ens33
4.any (Pseudo-device that captures on all interfaces)
5.lo

And my server IP is 192.168.107.211

[root@rhel ~]# ifconfig ens33 | grep inet | awk '{print $2}'
192.168.107.211
fe80::c4f6:e4c7:23e0:e0ed

Let me try to capture some HTTP packets by running port range. Same time I have accessed google.com from my other terminal which gives the below dump output while capturing for HTTP packets.

# tcpdump -i ens33 -n tcp -tttt portrange 80-446

Output will look as below

[root@rhel ~]# tcpdump -i ens33 -n tcp -tttt portrange 80-446
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
2017-11-25 22:47:46.706572 IP 192.168.107.211.42886 > 216.58.197.78.http: Flags [S], seq 77012543, win 29200, options [mss 1460,sackOK,TS val 10946455 ecr 0,nop,wscale 7], length 0
2017-11-25 22:47:46.711918 IP 216.58.197.78.http > 192.168.107.211.42886: Flags [S.], seq 3227734970, ack 77012544, win 64240, options [mss 1460], length 0
2017-11-25 22:47:46.711970 IP 192.168.107.211.42886 > 216.58.197.78.http: Flags [.], ack 1, win 29200, length 0
2017-11-25 22:47:46.712501 IP 192.168.107.211.42886 > 216.58.197.78.http: Flags [P.], seq 1:152, ack 1, win 29200, length 151
2017-11-25 22:47:46.712866 IP 216.58.197.78.http > 192.168.107.211.42886: Flags [.], ack 152, win 64240, length 0

To read the captured tcpdump in the graphical mode we can use Wireshark utility which is totally opensource to use. To start the download navigate to below URL.

(adsbygoogle = window.adsbygoogle || []).push({});

Now let us see all available options and arguments for tcpdump command and how to use it.

Listing Interfaces

To list all the available interfaces in Server to capture the tcpdump.

# tcpdump -D

To listen to interface ens33

# tcpdump -i ens33

To listen to all available interfaces

# tcpdump -i any

To be verbose while capturing tcpdump

# tcpdump -vi ens33

To be more verbose while capturing tcpdump using multiple -vvv

# tcpdump -vvvi ens33

To capture each packet in ASCII format which will help to capture web pages.

# tcpdump -i ens33 -A

Capture any ARP packets:

# tcpdump -i ens33 -v arp

Capture anyone of ICMP or ARP packets

# tcpdump -i ens33 -v "icmp or arp"

If you need to capture packets by setting buffer size of 2048 KiB and tcpdump need to exit on 10000 counts.

# tcpdump -i ens33 -B 2048 -c 10000

To print the output too quick than default without verbose.

# tcpdump -q

Writing dump to a file

Save all captured packets to a file called tcpdump.pcap

# tcpdump -w tcpdump.pcap

Save all captured packets to a file called tcpdump.pcap by displaying in the screen

# tcpdump -v -w tcpdump.pcap
(adsbygoogle = window.adsbygoogle || []).push({});

To read the captured file tcpdump.pcap.

# tcpdump -r tcpdump.pcap

Print all available information from the captured dump, This include end to end information’s of a packet with hex and ASCII.

# tcpdump  -nnvvvSeXX -r /home/linuxsysadmins/tcpdump-420191400.pcap

To list the host address instead of looking for names.

# tcpdump -i ens33 -n

To list the hostname with the short name instead of printing FQDN.

# tcpdump -i ens33 -N

To display only in the numerical format for protocol and port numbers.

# tcpdump -i ens33 -nn

To capture any packets where the destination host is 192.168.107.1 print IP addresses and port numbers

# tcpdump -i ens33 -n dst host 192.168.107.1

To Capture any packets where the source host is 192.168.107.1 print IP addresses and port numbers

# tcpdump -i ens33 -n src host 192.168.107.1

To Capture any packets where the source or destination host is 192.168.107.1 Display IP addresses and port numbers:

# tcpdump -i ens33 -n host 192.168.107.1

To list any packets where the destination network is 192.168.107.0/24 by printing all IP address and ports.

# tcpdump -i ens33 -n dst net 192.168.107.0/24

To list traffic only for destination port 22 in numeric format.

# tcpdump -i ens33 -n dst port 22

To list a range of destination port by printing there IP address and ports in numerical format.

# tcpdump -i ens33 -n dst portrange 20-67

Print only the TCP packets in destination port range.

# tcpdump -i ens33 tcp -n dst portrange 20-67

List only the UDP packets in destination port range.

# tcpdump -i ens33 udp -n dst portrange 20-67

Listing only the ICMP packets.

# tcpdump -i ens33 -v icmp

Capture any packets that are broadcast or multicast

# tcpdump -i ens33 -n "broadcast or multicast"

Not to put the interface into promiscuous mode.

# tcpdump -i ens33 -nn -p

capture only incoming traffics using -P.

# tcpdump -i ens33 -n -P in

Start to capture only outgoing traffics using -P.

# tcpdump -i ens33 -n -P out
(adsbygoogle = window.adsbygoogle || []).push({});

To capture both incoming and outgoing traffics using -P.

# tcpdump -i ens33 -n -P inout

To list tcpdump without printing timestamp on each dump line using -t.

# tcpdump -i ens33 -n -t

To print tcpdump with an unformatted timestamp on each dump line using -tt.

# tcpdump -i ens33 -n -tt

To print tcpdump with human readable date and timestamp on each dump line using -tttt.

# tcpdump -i ens33 -tttt -n

To print tcpdump in millisecond timestamp on each dump line using -ttttt.

# tcpdump -i ens33 -ttttt -n

To print the tcpdump with headers of each packet including link level header in hex and ASCII.

# tcpdump -i ens33 -XX

Print traffic packet size less than 64 and greater than 64 Packet Size.

# tcpdump -v less 64
# tcpdump -v greater 64

Capture IPV6 traffic for all interfaces.

# tcpdump -i any -vv ip6

Dump all interfaces traffic with more verbose, with timestamps, print IP instead of host name, capture the original size of a packet and save the output in a file.

-i Interface
any All Interface
-vvv more verbose
-tttt Print timestamp in hours, minutes and seconds format for each line.
-n Don’t convert to host name, Print only in numeric format.
-s 0 To capture packet at original size 65535 bytes.

or use -s 65535

# tcpdump -i any -vvv -tttt -n -s 65535 -w /home/linuxsysadmins/tcpdump-420191400.pcap

This article will be updated frequently whenever we use in real production environment during some troubleshooting.

That’s it, we have seen how to capture tcpdump with more options and arguments to be used for network related issues.

Conclusion:

We have gone trough tcpdump command with options and argument, following how to use TCPDUMP command with options is most useful command for every Linux sysadmins. Subscribe and follow us to receive our new guides in our upcoming articles.