Using Tcpdump To Capture And Analyze Network Traffic

By
Rajneesh Upadhyay
network-trends-outlook-security-sdn-nfv

Introduction

Tcpdump is one of the finest tools available for network analysis. It is a must have tool for all of the Network Administrators and users who wants to understand TCP/IP.It enable users to capture packets transmitted or received over the network/Internet. It is important to know that super user  authentication is required to run tcpdump, it is absolutely free tool available under BSD License.

Features

It is a command line tool available for Debian and Redhat based systems, packets can be saved in log form which can be analysed later on with tcpdump.  You can apply filters on the packets and can avoid the traffic which you do not wants to see.It understand hostname and almost all of the TCP and UDP protocols.

Installation

For CentOS:

# yum install tcpdump

For Ubuntu distribution:

# apt-get install tcpdump

for Debian OS:

# pkg install tcpdump

Utility Examples

1. Use tcpdump without any option it will dump output to the scree
# tcpdump

Sample Output:

Selection_012

2. Specify some interface to capture network traffic
# tcpdump -i eth1

Sample output:

Selection_013

Note that  in above example that Packet captured, packet received and packets drops are described at the end of each output.

3. Capture packet from some specific host
# tcpdump src host 192.51.15.1

Sample Output:

Selection_014

# tcpdump src host unixmen.com

Selection_015

4. Read data with time stamp
# tcpdump -i eth0 -n -tttt

Sample output:

Selection_016

5. Scan network for some specific ip range
# tcpdump net 192.51.15.0/24

Sample output:

Selection_017

6. Grab some icmp traffic for specific interface
# tcpdump -i eth1  icmp

Sample output:

Selection_018

7. Record log of tcpdump to some specific file
# tcpdump -w unixmen.cap

unixmen.cap is file name.

Read that recored log with tcpdump

# tcpdump -r unixmen.cap

Sample output:

Selection_019

8. Capture only ARP packets for any interface
# tcpdump -v arp

Sample output:

Selection_020

9. Capture the data using ip address
# tcpdump -n -i eth0

Sample output:

Selection_021

10. Scan network more deeply
# tcpdump -nnvvXS

Sample output:

Selection_022

There are lots of utility which can be used with tcpdump, we will try to provide more tutorials of security tools in future.

Conclusion

tcpdump is a easy to use tool, no supporting packages are required to install or configure this tool, .cap log format is supported which is common for most of network scanning tools.

Have fun!!