The tcpdump tool can be of great help when resolving networking issues. The packets can be saved to a file and later analyzed. It is a good idea to run this tool occasionally to keep a watch over your network.

What does the tcpdump output look like?

tcpdump allows you to examine the headers of the TCP/IP packets. It prints one line for each packet, and command keeps running until you press Ctrl+C to terminate. Let’s examine one line from an example output: Each line includes

Unix timestamp (20:58:26.765637) protocol (IP) the source hostname or IP, and port number (10.0.0.50.80) destination hostname or IP, and port number (10.0.0.1.53181) TCP Flags (Flags [F.]). Flags indicate the state of the connection. This can include more than one value, like in this example [F.] for FIN-ACK. This field can have the following values : S – SYN. The first step in establishing the connection. F – FIN. Connection termination. . – ACK. Acknowledgment packet received successfully. P – PUSH. Tells the receiver to process packets instead of buffering them. R – RST. Communication stopped. Sequence number of the data in the packet. (seq 1)  Acknowledgement number (ack 2) Window size (win 453). The number of bytes available in the receiving buffer. This is followed by TCP options. Length of the data payload. (length 0)

Installation

On Debian based distributions tcpdump can be installed with the APT command : On RPM-based distributions tcpdump can be installed with YUM : Or using DNF if RHEL 8

tcpdump command options

You need to be root to run tcpdump. It includes many options and filters. Running tcpdump without any options will capture all packets flowing through the default interface. To see the list of network interfaces available on the system and on which tcpdump can capture packets. Or This is especially useful on systems that do not have a command to list interfaces. To capture packets flowing through a specific interface, use the -i flag with the interface name. Without the -i interface tcpdump will pick up the first network interface it comes across.  The -v flag increases the information you see about the packets, -vv gives you even more details. By default, tcpdump resolves IP addresses to hostnames and also uses service names instead of port numbers. If DNS is broken or you do not want tcpdump to perform name lookups, use the -n option.  To capture only a set of lines, say 5, use the -c flag: The default tcpdump output uses Unix timestamps. To capture packets with human-readable timestamp:

tcpdump filter expressions

Filter expressions select which packet headers will be displayed. If no filters are applied, all packet headers are displayed. Commonly used filters are port, host, src, dst, tcp, udp, icmp.

port filter

Use port filter to view packets arriving at a specific port:

host filter

To capture all packets arriving at or leaving from the host with IP address of 10.0.2.15: To capture packets of a specific protocol type, for example, icmp, on eth1 interface:

Combining filter expressions

You can combine these filter expressions with AND, OR, and NOT operators. This will enable you to write commands which can isolate packets more precisely: Packets from a specific IP and destined for a specific port: To capture all packets except ICMP, use the NOT operator:

Saving packet headers to a file

Since the output of tcpdump can scroll past the screen quite fast, you can store packet headers to a file with the -w flag. The files to save the output use pcap format and have an extension of .pcap. PCAP stands for packet capture. The following command saves 10 lines of output on the eth1 interface to icmp.pcap. You can read this file with -r flag:

Viewing packet details

So far we have only seen the packet headers, to view packet contents use -A option. This prints the packet contents in ASCII, which can be of help in network troubleshooting. Also -X flag can be used to display output in hex format. This may not be of much help if the connection is encrypted.

Conclusion

tcpdump is easy to set up, and once you understand the output, the various flags, and filters, it can be used to resolve networking issues and securing your network.

How to Capture and Analyze Network Traffic with tcpdump  - 39How to Capture and Analyze Network Traffic with tcpdump  - 55How to Capture and Analyze Network Traffic with tcpdump  - 62How to Capture and Analyze Network Traffic with tcpdump  - 14How to Capture and Analyze Network Traffic with tcpdump  - 84How to Capture and Analyze Network Traffic with tcpdump  - 71