TCPDUMP ? how to use it ? [10 common examples]

Posted by

Basically TCPDUMP is a network analyzer tool that use the “libpcap” library to capture the traffic on the network, it can be used by command line and can be found mostly on any Linux/Unix distribution. (BSD, Solaris, etc.) If the package it is not installed and you get an error, just install it and continue.

[BASIC POINT:] Open a terminal, do an “ifconfig” and analyze the environment. (check the IP Address, NIC’s, etc.) to know the environment and to know how to look for the information.

After that, basically the parameters function will be like filters, so, let’s play with some common use examples.

-how to check if it is working on eth2 ? [1] –> Check if you have any traffic on NIC [“eth2”] for example,

#tcpdump -i eth2

..>You will see all traffic been captured by the network interface “eth2”. if you get an error message or you did not get any package, probably something is wrong with the tcpdump and will be good to double check to continue.

– how to capture by specific protocol [2]

#tcpdump icmp

Note: You can use any of the protocols listed, [UDP, TCP, SNMP, etc.] check the list for more context.

-how to capture by source and destination [3 & 4]

#tcpdump src 10.10.10.0
&&
#tcpdump dst 10.10.2.34

-how to capture by port and port-range [5 & 6]

–>by port
#tcpdump port 80

–>by port range
#tcpdump portrange 23-29

..>You will capture the traffic on ports between 23 and 29. And also specifically on port 80.

-how to capture by specific host [7]

#tcpdump host 10.10.2.4

-how to read/write using files [8 & 9]
–>write

#tcpdump src 10.10.0.1 -w valparaiso.txt

..>You will write all captured traffic from source 10.10.0.1 into the specified file, for the example, valparaiso.txt and it will be saved on the current path.

–>read

#tcpdump -r [valparaiso].txt

..>You will read the information previously captured on the file.

Note: On both options, all the parameters are available to use. As a reminder when “reads” will only work with the captured data on the file.

-how to capture entire subnet traffic [10]

#tcpdump net 10.3.45.0/24

More examples,

– #tcpdump src host 10.1.1.2 and port 514
– #tcpdump -i eth2 dst host 10.1.1.43 portrange 510-520

To get more information use the man pages of the tool. You can type #man tcpdump and you will display the different parameters and options available to use.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s