TCPDump is an essential tool for security professionals, system administrators, and network administrators. It provides capabilities to capture and analyze network traffic. Here are the most common reasons why TCPDump is useful:
- Troubleshoot networks: TCPDump allows network administrators to capture network packets, which can be analyzed to gain insights on traffic patterns and probably anomalies. TCPDump is essential to diagnose network issues like packet loss, high latency, and connectivity issues.
- Monitoring network performance: TCPDump captures traffic and helps in monitoring the network performance and identifying bottlenecks. This data helps network administrators optimize their network infrastructure setup and ensure optimal data flow.
- Pinpointed data: TCPDump can be used to capture only the traffic that needs to be examined. For example, data flow based on IP addresses, ports, packet attributes, and protocols can be filtered and captured with TCPDump. This helps in focussed monitoring, analysis, and troubleshooting.
- Security: TCPDump forms an integral part in analyzing network flow to check suspicious activities. By capturing and analyzing data packets, a DevSecOps professional can detect suspicious activity like unauthorized access or malware attack. TCPDump helps in both detecting and troubleshooting incidents.
What are TCPDump Examples
In this comprehensive guide, we will show you some examples of TCPDump, how to analyze them, and to utilize its capabilities. Let us guide you through how to capture traffic using TCPDump and a few TCPDump examples coupled with their applications.
Basic Syntax
The basic command to capture traffic on a specific network interface is
This command captures all packets on the specified interface and displays them in the terminal. Press Ctrl and C to stop capturing the data packets.
How to Limit the Packet Capture Count
Use the “-c” flag to stop the data packet capture after a specified number of data packets. The syntax for this use case is:
In this command, n is the number of packets after which the data packet capture should stop.
To View the Packet Content
With the “-A” flag, you can view the contents of the packet in ASCII format. Here is one more TCPDump example command to view the contents of the packets captured.
One more TCPDump example command where both hexadecimal and ASCII outputs are provided is by using the “-XX” flag.
How to Save the Captured Packets
With the “-w” flag, you can save the captured packets to a file. Here is the syntax to save the captured packets.
Reading the Saved Packet Capture File
To read the file containing all the saved data packets, use the “-r” flag.
TCPDump Examples for Filtering Data Traffic
TCPDump offers many options to filter the data traffic based on protocols, IP addresses, and ports. Here are some TCPDump examples to filter the data packets.
Filtering Data Packets by Packet Attributes
Use this syntax to filter only UDP packets
Use this syntax to filter only TCP packets
To filter packets based on their port, use this syntax
In case you wish to filter packets from multiple ports, use this syntax
To capture packets from a selected source IP, use the “src” flag.
To capture packets to a selected destination IP, use the “dst” flag.
Some Advanced TCPDump Examples
To filter only the TCP SYN packets use this command:
For filtering out only the TCP RST packets, execute this command:
Some Real World TCPDump Examples
Use this command to capture only the HTTP Traffic on port XX.
Here is a TCPDump example to capture traffic between a source and destination host.
To filter the packets based on their size, here is a sample command
Wrapping Up
TCPDump is an essential tool for security analysis and network diagnostics. Its plethora of capabilities to capture and filter data packets based on their source, destination, and other attributes make it a solid tool to prevent outages and malware attacks.
Related Link
RedHat TCPDump troubleshooting instructions