How to use tcpdump with examples

tcpdump

1.What is tcpdump?

Tcpdump prints out a description ofthe contents of packets on a network interface that match the boolean expression.It can also be run with the -w(write) flag,which causes it to save the packet data to a file for later analysis,and/or with the -r(read) flag,which causes it to read from a saved packet file rather than to read packets from a network interface.In all cases,only packets that match the book expression will be processed by tcpdump.

Tcpdump will,if not run with the -c(count) flag,continue capturing packets until it is interrupted by a SIGINIT signal(generated,for example,by typing your interrupt character,typically control-C) or a SIGTERM signal(typically generated with the kill command);if run with the -c flag,it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.

When tcpdump finishes capturing packets,it will report counts of:

packets 'captured'(this is the number of packets that tcpdump has received and processed);

packets 'receieved by filter'(the meaning of this depends on the OS on which you're running tcpdump,and possibly on the way the OS was configured - if a filter was specified on the command line,on some OSes it counts packets regardless of whether they matched by the filter expression,regradless of whether tcpdump has read and processed them yet,on toher 0Ses it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet,and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);

packets 'dropped by kernel'(this is the number of packets that were dropped,due to a lack of buffer space,by the packet capture mechanism in the OS on which tcpdump is running,if the OS reports that information to applications;if not,it will be reported as 0).

Reading packets from a network interface may require that you have special privileges.Reading a saved packet file doesn't require special privileges.

2.Capture packets from a particular network interface using -i option

When you execute tcpdump command without any option,it will capture all the packets flowing throught all the interfaces.-i option with tcpdump command,allows you to filter on a particular network interface.



In this example,tcpdump captured all the packets flows in the interface lo and displays in the standard output.

3.Capture only N number of packets using -c option

When you execute tcpdump command it gives packets until you cancel the tcpdump command.Using -c option you can specify the number of packets to capture.



The above tcpdump command captured only 2 packets from interface lo.

4.Display captured packets in ASCII using -A option

The following tcpdump syntax prints the packet in ASCII.

5.Display captured packets in HEX and ASCII using -XX option

Some users might want to analyse the packets in hex values.Tcpdump provides a way to print packets in both ASCII and HEX format.

6.Capture the packets and write into a file using -w option

Tcpdump allows you to save the packets to a file,and later you can use the packet file for further analysis.



-w option writes the packets into a given file.The file extension should be .pcap,which can be read by any network protocol analyzer.

7.Reading the packets from a saved file using -r option

You can read the captured pcap file and view the packets for anaysis,as shown below.

8.Capture packets with IP address using -n option

In all the above examples,it prints packets with the DNS address,but not the ip address.The following example captures the packets and it will display the IP address of the machines involved.

9.Capture packets with proper readable timestamp using -tttt option

10.Read packets longer than N bytes

You can receive only the packets greater than n number of bytes using a filter 'greater' throught tcpdump command

tcpdump -i lo greater 1024