tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
tcpdump prints the contents of network packets. Packets from a network interface card or from a previously created saved packet file can be read by tcpdump. The latter can write packets to standard output or a file.
It is also possible to use tcpdump for the sole purpose of intercepting and displaying the communications of another user or computer.
Firstly, I like to add a few options to the tcpdump
command itself, depending on what I’m looking at.
- The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed.
- The second is -X, which displays both hex and ascii content within the packet.
- The advantage of using
tcpdump
vs. another tool is getting manual interaction with the packets.
Here’s a short list of the options I use:
-
-i eth0
: Listen on the eth0 interface. -D
: Show the list of available interfaces-X
: Show the packet’s contents in both hex and ASCII.-XX
: Same as-X
, but also shows the Ethernet header.-q
: Show less protocol information.-i any
: Listen on all interfaces just to see if you’re seeing any traffic.icmp
: Only get ICMP packets. (ping http://www.google.com)
Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with
tcpdump
. There are three main types of expression:type
,dir
, andproto
.Type options are
host
,net
, andport
. Direction is indicated bydir
, and there you can havesrc
,dst
,src or dst
, andsrc and dst
. Here are a few that you should definitely be comfortable with:
- host // look for traffic based on IP address (also works with hostname if you’re not using -n)
# tcpdump host 192.168.1.4
- src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 210.30.4.52
# tcpdump dst 180.4.50.69 - net // capture an entire network using CIDR notation
# tcpdump net 192.168.1.0/24
proto
// works for tcp, udp, and icmp. Note that you don’t have to typeproto
# tcpdump icmp
- port // see only traffic to or from a certain port
# tcpdump port 8080
src, dst port
// filter based on the source or destination port# tcpdump src port 125 # tcpdump dst port 3389
src/dst, port, protocol
// combine all three# tcpdump src port 25 and tcp
# tcpdump udp and src port 53