Useful tcpdump Linux Examples for the Network Admin

Published:5 July 2022 - 7 min. read

Nicholas Xuan Nguyen Image

Nicholas Xuan Nguyen

Read more tutorials by Nicholas Xuan Nguyen!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

As a network administrator, troubleshooting network issues is part of your day-to-day. One indispensable tool when working on network-related problems is the tcpdump Linux command.

This tutorial will walk you through some real-world examples of how tcpdump can aid you in diagnosing common network problems. By the end of this tutorial, you will have a better understanding of how to leverage tcpdump to troubleshoot your own network issues.

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have a Linux machine. This tutorial uses Ubuntu 20.04, but any modern-day Linux distribution will work.

Installing the tcpdump Linux Tool

Most modern Linux distributions, especially servers, already have tcpdump. But if not, don’t worry because the installation is sweat-free and quick.

1. Log in to your Linux computer using your preferred SSH client.

2. First, check if tcpdump is already installed by running the below command.

sudo apt list --installed tcpdump

If tcpdump exists on your machine, you’ll see a similar output to the screenshot below.

The tcpdump Linux tool is already installed
The tcpdump Linux tool is already installed

If tcpdump does not exist, you’ll get the below result instead.

The tcpdump Linux tool is not yet installed
The tcpdump Linux tool is not yet installed

3. Once you’ve confirmed that tcpdump is not installed, run the below commands to install it.

# Update the package index
sudo apt update -y

# Install tcpdump
sudo apt install tcpdump -y
Installing the tcpdump Linux tool
Installing the tcpdump Linux tool

4. Finally, check the installed tcpdump version by running the below command.

tcpdump --version

As of this writing, the latest tcpdump version from the Ubuntu repository is 4.9.3.

Verifying the tcpdump Linux tool version
Verifying the tcpdump Linux tool version

Capturing Packets Traffic on the Default Interface

The primary use of tcpdump is capturing packets. Thanks to the pcap library, the tool can capture packets from different network types, such as Ethernet, Wi-Fi, PPP, etc.

The syntax for the basic form of the tcpdump command is as follows.

tcpdump [options] [expression]

Where:

  • options: Set various tcpdump options. Options control how tcpdump captures and displays the packets.
  • expression: Filter or specify what type of traffic to capture. Expressions are discussed in greater detail later in this tutorial.

The most basic use case for tcpdump is to capture all traffic on your default network interface and display the data to the standard output.

Run the tcpdump command without options or expressions to capture all traffic on your default interface.

sudo tcpdump

You must run tcpdump as root or with the sudo prefix because accessing the network interfaces is a privileged operation.

The tcpdump tool captures packets and prints output to the terminal, as shown below. When you believe you’ve captured enough packets, press CTRL+C to stop the capture.

Starting and stopping tcpdump
Starting and stopping tcpdump

Limiting Packet Capture Count

The tcpdump Linux command can quickly overwhelm your terminal with output, and it is best only to capture a small amount of data at a time.

You can include the -c option to specify the number of packets tcpdump should capture before it exits. This option is often applicable when you only want to capture a small amount of data for analysis.

To do so, run the below command and change the number after the -c option. This example captures up to 10 packets only and automatically terminates.

sudo tcpdump -c 10
Limiting the packet capture count
Limiting the packet capture count

Increasing Verbosity

During packet capture, you may find that, at times, the default output may not contain or show in-depth information. Fortunately, the tcpdump Linux tool gives you three levels of verbosity represented by the -v, -vv, and -vvv flags.

When using these options, tcpdump parses and prints lots more information for each packet, like time to live(TTL), identification, etc.

# Verbose
sudo tcpdump -v

# Even more verbose
sudo tcpdump -vv

# Most verbose
sudo tcpdump -vvv

For a better perspective, refer to the below images comparing the difference in detail between -v and -vvv.

Comparing the tcpdump Linux command's least verbose and most verbose outputs
Comparing the tcpdump Linux command’s least verbose and most verbose outputs

Capturing Packets on a Specific or All Interfaces

In the previous example, tcpdump was capturing packets on the default network interface, which means you have only one interface to mind. But what if you have multiple interfaces and want to capture traffic on a specific interface or all the interfaces?

The tcpdump Linux command allows you to specify which network interface to capture using the -i flag. This flag accepts the interface name as the value, which means you need to know the interface name first.

1. Run the tcpdump command with the -D option to print a list of all available interfaces on the machine.

sudo tcpdump -D

As you can see below, there are seven interfaces on this machine. Your computer may have a different set of network interfaces. This example focuses only on the ethernet network interfaces, specifically eth0 and eth1.

Listing all network interfaces
Listing all network interfaces

2. Next, run the below command to start capturing packets on the specific interface you want. This example captures the eth1 interface. Also, to limit the number of captured packets, the below command uses the -c flag followed by the count.

sudo tcpdump -i eth1 -c 5
Capturing packets on a specific interface
Capturing packets on a specific interface

3. Instead of specifying one interface, you can also capture packets on all interfaces simultaneously. To do so, set any as the parameter value for -i.

sudo tcpdump -i any -c 5

Why would you want to capture packets on all interfaces? Here are some common reasons.

For one, capturing traffic on all interfaces allows you to see all the traffic passing through your system, even if it’s not destined for your system.

Also, you can see what services and protocols pass through your network. This information can be helpful when configuring firewall rules or other security measures, especially when building new servers.

Adding Filters to the tcpdump Linux Command

Wildly capturing packets is not always the best approach. The amount of data can become confusing and may hinder your troubleshooting. Why? Because you may be capturing traffic that is not relevant to the situation.

Filters come in handy in these situations. The tcpdump tool has many built-in filters for capturing specific types of traffic. You may combine these filters to capture only the relevant traffic. Below are some examples.

Filtering by Port Number

For example, if you are troubleshooting an SSH server issue, you probably don’t care about other types of traffic passing through your network.

Run the command below to capture all traffic destined for port 22, the default SSH port.

sudo tcpdump -c 5 port 22

As you can see, the tool only captured port 22 traffic as the source or destination.

Filtering port 22 traffic
Filtering port 22 traffic

How about if you’re only interested in HTTP traffic? You only need to replace the port number with your HTTP port, which by default is port 80.

sudo tcpdump -c 1 port 80
Filtering port 80 traffic
Filtering port 80 traffic

Note: The tcpdump tool is smart enough to recognize service protocol names in place of port numbers. For example, instead of specifying port 22 for filtering SSH traffic, you may specify port ssh instead. The same goes for port 80 for HTTP traffic, port http.

Filtering by Protocol

Don’t let the name tcpdump fool you into thinking it only works with TCP traffic. This tool can also capture non-TCP traffic like ICMP or UDP.

For example, the below command captures packets from any interface but only filters UDP traffic.

sudo tcpdump -i any -c 5 udp

As a result, the below results show UDP traffic only, which appears to be packets about NTP and DNS operations.

Filtering UDP traffic
Filtering UDP traffic

What if you only need to capture the DNS-related traffic? In that case, you can combine the filters udp and port 53. This way, the intended output should only show DNS-related packets.

sudo tcpdump -i any -c 5 udp port 53

This time, you only captured DNS-related (A, PTR, AAA lookup, and reply) traffic restricted to the UDP transport protocol.

Combining protocol and port filters
Combining protocol and port filters

Do you suspect that a ping flood attack is happening in your network? Why don’t you try finding the source and destination using tcpdump? To do so, run the below command to listen on any interface for ICMP traffic.

The -n flag prevents tcpdump from attempting to resolve the hostnames and shows the IP addresses instead. In this type of situation, bypassing name resolution can improve performance.

sudo tcpdump -n -i any icmp
Capturing ICMP network packets
Capturing ICMP network packets

You may have already realized that the tcpdump filters are powerful and flexible. By combining different filters, you can capture the traffic relevant to your desired result.

For more information on tcpdump filters, consult the tcpdump man page.

Saving Captured Packets to a File on Disk

Displaying packet captures on the screen on the fly is fine for short captures. But if you’re generating huge packet captures, the on-screen output is no longer practical. You need a way to export the captured data to a file for later analysis or sharing.

Fortunately, tcpdump supports the ability to save captured packets to a file on disk. You must specify the -w option followed by the file path.

Run the command below to save all traffic passing through your system to a file called /tmp/capture.pcap. This command listens on any interface and captures a maximum of 20 packets before automatically exiting.

sudo tcpdump -i any -w /tmp/capture.pcap -vv -c 20
Sending packet capture to file
Sending packet capture to file

Now you have the packet capture file, and when you need to, you can read the file back into the terminal. To read a packet capture from a file, add the -r option followed by the packet capture filename.

sudo tcpdump -r /tmp/capture.pcap
Reading the packet capture file
Reading the packet capture file

Conclusion

This tutorial taught you to capture and analyze network traffic using the tcpdump Linux command. You’ve used common options and combined filters to generate accurate packet captures. You also used the tool to capture packets to file for later analysis and read the file back into the terminal.

The tcpdump Linux tool is essential in every network administrator’s toolbox. The knowledge you have gained in this tutorial helps you become effective and efficient in troubleshooting network issues.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!