Tcpdump is a tool to capture and analyze the network packets. We can capture or filter TCP/IP packets sent and received over a network on a specific interface. We can either check the contents real-time or save it to a file for future analysis. I will explain the most commonly used Tcpdump example below:
- To list number of interfaces:
tcpdump -D - To capture the network packets from a specific interface:
tcpdump -i <network_interface> - To capture specific number of packets:
tcpdump -c N -i <network_interface> - To capture packets from specific port:
tcpdump -i <network_interface> port N
tcpdump -i <network_interface> not port N #will exclude the port when intercept packets - To save the tcpdump output to a file and read that file
tcpdump -i <network_interface> -w filename.pcap
tcpdump -r filename.pcap
Or we can use wireshark tool to analyse the tcpdumps. - To capture packets from soure or destination IPs
tcpdump -i <network_interface> src <IP_ADDRESS>
tcpdump -i <network_interface> dst <IP_ADDRESS> - By default tcpdump captures the 96 bytes of a packet. Using -s option we can capture the entire packet. In below example, we have use -s0 to capture the entire packet, you can mention the size of your choice.
tcpdump -s0 -i <network-interface> - To see macaddress in the tcpdump output:
tcpdump -e - To capture packets from a specific host:
tcpdump -i <network_interface> host <ip_address> - To capture with more readable timestamp:
tcpdump -n -ttttvv -i <network_intercace>