TCPDump is an essential tool for security professionals, system administrators, and network administrators. It provides capabilities to capture and analyze network traffic. Here are the most common reasons why TCPDump is useful:
- Troubleshoot networks: TCPDump allows network administrators to capture network packets, which can be analyzed to gain insights on traffic patterns and probably anomalies. TCPDump is essential to diagnose network issues like packet loss, high latency, and connectivity issues.
- Monitoring network performance: TCPDump captures traffic and helps in monitoring the network performance and identifying bottlenecks. This data helps network administrators optimize their network infrastructure setup and ensure optimal data flow.
- Pinpointed data: TCPDump can be used to capture only the traffic that needs to be examined. For example, data flow based on IP addresses, ports, packet attributes, and protocols can be filtered and captured with TCPDump. This helps in focussed monitoring, analysis, and troubleshooting.
- Security: TCPDump forms an integral part in analyzing network flow to check suspicious activities. By capturing and analyzing data packets, a DevSecOps professional can detect suspicious activity like unauthorized access or malware attack. TCPDump helps in both detecting and troubleshooting incidents.
What are TCPDump Examples
In this comprehensive guide, we will show you some examples of TCPDump, how to analyze them, and to utilize its capabilities. Let us guide you through how to capture traffic using TCPDump and a few TCPDump examples coupled with their applications.
Basic Syntax
The basic command to capture traffic on a specific network interface is
sudo tcpdump -i interface
This command captures all packets on the specified interface and displays them in the terminal. Press Ctrl and C to stop capturing the data packets.
How to Limit the Packet Capture Count
Use the “-c” flag to stop the data packet capture after a specified number of data packets. The syntax for this use case is:sudo tcpdump -c n -i interface
In this command, n is the number of packets after which the data packet capture should stop.
To View the Packet Content
With the “-A” flag, you can view the contents of the packet in ASCII format. Here is one more TCPDump example command to view the contents of the packets captured.
sudo tcpdump -A -c number -i interface
One more TCPDump example command where both hexadecimal and ASCII outputs are provided is by using the “-XX” flag.
sudo tcpdump -XX -c number -i interface
How to Save the Captured Packets
With the “-w” flag, you can save the captured packets to a file. Here is the syntax to save the captured packets.
sudo tcpdump -w /dir/packets.pcap -c number -i interface
Reading the Saved Packet Capture File
To read the file containing all the saved data packets, use the “-r” flag.
sudo tcpdump -r /dir/packets.pcap
TCPDump Examples for Filtering Data Traffic
TCPDump offers many options to filter the data traffic based on protocols, IP addresses, and ports. Here are some TCPDump examples to filter the data packets.
Filtering Data Packets by Packet Attributes
Use this syntax to filter only UDP packetssudo tcpdump -i interface udp
Use this syntax to filter only TCP packetssudo tcpdump -i interface tcp
To filter packets based on their port, use this syntaxsudo tcpdump -i interface port XX
In case you wish to filter packets from multiple ports, use this syntaxsudo tcpdump -i interface port XX or port XXX
To capture packets from a selected source IP, use the “src” flag.sudo tcpdump -i interface src XXX.XXX.X.X
To capture packets to a selected destination IP, use the “dst” flag.sudo tcpdump -i interface dst XXX.XXX.X.X
Some Advanced TCPDump Examples
To filter only the TCP SYN packets use this command:tcpdump 'tcp[13] & 2!=0'
For filtering out only the TCP RST packets, execute this command:tcpdump 'tcp[13] & 4!=0'
Some Real World TCPDump Examples
Use this command to capture only the HTTP Traffic on port XX.sudo tcpdump -i enp0s3 port 80
Here is a TCPDump example to capture traffic between a source and destination host.sudo tcpdump -i enp0s3 src XXX.XXX.X.X and dst XXX.XXX.X.Y
To filter the packets based on their size, here is a sample command
tcpdump less 32
tcpdump greater 64
tcpdump <=128
Wrapping Up
TCPDump is an essential tool for security analysis and network diagnostics. Its plethora of capabilities to capture and filter data packets based on their source, destination, and other attributes make it a solid tool to prevent outages and malware attacks.
Related Link
RedHat TCPDump troubleshooting instructions
