TCPDUMP ? how to use it ? [10 common examples]

Posted by

Basically TCPDUMP is a network analyzer tool that use the “libpcap” library to capture the traffic on the network, it can be used by command line and can be found mostly on any Linux/Unix distribution. (BSD, Solaris, etc.) If the package it is not installed and you get an error, just install it and continue.

[BASIC POINT:] Open a terminal, do an “ifconfig” and analyze the environment. (check the IP Address, NIC’s, etc.) to know the environment and to know how to look for the information.

After that, basically the parameters function will be like filters, so, let’s play with some common use examples.

-how to check if it is working on eth2 ? [1] –> Check if you have any traffic on NIC [“eth2”] for example,

#tcpdump -i eth2

..>You will see all traffic been captured by the network interface “eth2”. if you get an error message or you did not get any package, probably something is wrong with the tcpdump and will be good to double check to continue.

– how to capture by specific protocol [2]

#tcpdump icmp

Note: You can use any of the protocols listed, [UDP, TCP, SNMP, etc.] check the list for more context.

-how to capture by source and destination [3 & 4]

#tcpdump src
#tcpdump dst

-how to capture by port and port-range [5 & 6]

–>by port
#tcpdump port 80

–>by port range
#tcpdump portrange 23-29

..>You will capture the traffic on ports between 23 and 29. And also specifically on port 80.

-how to capture by specific host [7]

#tcpdump host

-how to read/write using files [8 & 9]

#tcpdump src -w valparaiso.txt

..>You will write all captured traffic from source into the specified file, for the example, valparaiso.txt and it will be saved on the current path.


#tcpdump -r [valparaiso].txt

..>You will read the information previously captured on the file.

Note: On both options, all the parameters are available to use. As a reminder when “reads” will only work with the captured data on the file.

-how to capture entire subnet traffic [10]

#tcpdump net

More examples,

– #tcpdump src host and port 514
– #tcpdump -i eth2 dst host portrange 510-520

To get more information use the man pages of the tool. You can type #man tcpdump and you will display the different parameters and options available to use.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s