tcpdump is a command-line utility, network traffic can be used to capture and check out of the system. It is the most common tool for network administrators troubleshoot network problems and security testing.
Although the name of this, using tcpdump, you can also capture non-TCP traffic, such as UDP, ARP or ICMP. Capturing packets or standard output file can be written. Tcpdump command one of the most powerful features is its ability to use filters and capture only the data you want to analyze.
In this article, we will cover the basics of how to use tcpdump command in Linux.
Installation tcpdump
On most Linux distributions and macOS installed by default tcpdump. To check tcpdump command is available on your system:
The output should be as follows:
tcpdump version 4.9.2
libpcap version 1.8.1
OpenSSL 1.1.1 11 Sep 2018
If you do not tcpdump on your system, the above command will show "No such file or directory." You can use the distribution's package manager easy installation tcpdump.
$sudo apt update && sudo apt install tcpdump
$sudo yum install tcpdump
Tcpdump installed on Arch Linux
$sudo pacman -S tcpdump
Capture packets with tcpdump
The general syntax of tcpdump command is as follows:
tcpdump [options] [filter expression]
- Command options allow you to control the behavior of the command.
- Filter expression defines what will capture packets.
Only the root user or have sudo privileges to run tcpdump. If you try to run the command as an unprivileged user, you will receive an error message: "You have no right to be captured on the device."
tcpdump: ens33: You don't have permission to capture on that device
(socket: Operation not permitted)
The case of the simplest use case is without any options and filters calls tcpdump:
Output is as follows:
tcpdump will continue to capture packets and written to standard output until it receives an interrupt signal is output. Ctrl + C keys used to send a break signal and stop command.
To get more detailed output, pass the -v option, or pass -vv to get more verbose output:
You can use the -c option to specify the number of packets to be captured. For example, to capture only 5 packets enter:
After capturing packets, tcpdump will stop.
If you do not specify any interface, the first interface using tcpdump and dump it finds all the data packets through the interface.
Use the -D option to print tcpdump can gather data packets list of all available network interfaces:
For each interface, this command will print the interface name, a brief description and associated indexes (numbers):
输出:
1.ens33 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.bluetooth0 (Bluetooth adapter number 0)
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)
7.usbmon1 (USB bus number 1)
8.usbmon2 (USB bus number 2)
The above output of the first interface display ens3 tcpdump is found and used without providing an interface for the command. The second is a special interface to any device that lets you capture interface for all activities.
To specify on which you want to capture traffic interfaces, use the -i option to invoke the command, followed by the interface name or index linked. For example, to capture all the packets from all the interfaces, the interface can specify any:
By default, tcpdump to perform reverse DNS resolution on IP address and port number to a name. Use the -n option to disable the conversion:
DNS lookup is skipped to avoid DNS traffic generated and output more readable. This option is recommended when invoking tcpdump.
And display different output on the screen, you can use redirection operators> and >> redirect it to a file:
You can also use the tee command to view the data saved to a file at the same time:
The above command -l option tells tcpdump output buffer line. When this option is not used to generate a new line, the output is not written on the screen.
Learn tcpdump output
tcpdump output for each packet trapped on a new line. Each line includes a time stamp and information related to the data packet, depending on the protocol.
A typical TCP protocol format line is as follows:
[Timestamp] [Protocol] [Src IP].[Src Port] > [Dst IP].[Dst Port]: [Flags], [Seq], [Ack], [Win Size], [Options], [Data Length]
Let's look at each field will be described and explained the following:
21:53:20.460144 IP 192.168.182.166.57494 > 35.222.85.5.80: Flags [P.], seq 1:88, ack 1, win 29200, options [nop,nop,TS val 1067794587 ecr 2600218930], length 87
- 21:53: 20.460144 - timestamp captured packets to local time, and use the following format: hours: minutes: seconds.frac, where frac since midnight fraction of a second.
- IP - packet protocol. In this case, IP stands for Internet Protocol version 4 (IPv4).
- 192.168.182.166.57494 - (.) The source IP address and port, separated by dots.
- 35.222.85.5.80 - destination IP address and port, separated by a period (.).
TCP flag field. In this example, [P.] Indicates a push acknowledgment packets for a packet before confirming and sending data. Other typical flag field values are as follows:
- [.] - ACK (Acknowledgment)
- [S] - SYN (Start Connection)
- [P] - PSH (Push Data)
- [F] - FIN (Finish Connection)
- [R] - RST (Reset Connection)
- [S.] - SYN-ACK (SynAcK Packet)
- seq 1:88 - in SEQ ID NO first: last notation. It shows the number of data included in the packet. In addition to a first data stream packets (where the numbers are absolute), all subsequent packets are used as the relative byte position. In this example, the number is one eighty-eight, indicates that this packet contains byte stream is 1-88. -S option to print absolute sequence number.
- ack 1 - acknowledgment number (acknowledgment number) is connected to the other end of this next expected sequence number data.
- win 29200 - window number is the number of bytes available in the receive buffer.
- options [nop, nop, TS val 1067794587 ecr 2600218930] - TCP option. Using nop or "no operation" so that multiple fill TCP header of 4 bytes. TS val is TCP timestamps, ecr represents echo reply. Visit IANA documentation for more information about TCP options.
- length 87 - length of the payload data
tcpdump filter
In the case of no filter when invoking tcpdump, it will capture all traffic and generate a lot of output, which makes finding and analyzing the target data packet becomes very difficult.
Tcpdump command filter is one of the most powerful features. Because they allow you to capture only those packets that match the expression. For example, when the problems associated with the Web server troubleshooting, can use filters to obtain only HTTP traffic.
tcpdump using Berkeley Packet Filter (BPF) Syntax various processing parameters (such as protocol, source IP address and destination IP address and port, etc.) filtering the captured packets.
In this article, we will introduce some of the most common filter. About all the available filters list, see pcap-filter online help pages.
Filter by agreement
To capture limited to a specific protocol, the protocol is specified as the filter. For example, to capture only UDP traffic, you can use:
$sudo tcpdump -n udp
Another method is to use a prototype defined protocol qualifier, followed by protocol number. The following command filtering protocol number 17, and produce the same results as above:
$sudo tcpdump -n proto 17
For more information on the product code, check the list of IP protocol numbers.
Hosted Filtering
To capture only associated with a particular host data packet, use the host qualifier:
$sudo tcpdump -n host 192.168.1.185
The host can be the IP address or name.
You can also use the network qualifier output filter to a given IP range. For example, only to the dump 10.10.0.0/16 related packets may be used:
$sudo tcpdump -n net 10.10
By port filtering
To capture packets from only limited to a specific port or a specific port, use port qualifier. The following commands use the following command to capture data packets associated with SSH (port 22) Service:
$sudo tcpdump -n port 23
portrange qualifier enables you to capture a series of traffic in the port:
$sudo tcpdump -n portrange 110-150
Filter by origin and destination
You can also use are src, dst, src and dst and src or dst qualifier source or destination port or host-based packet filtering.
The following command captures incoming IP packets from the host 192.168.1.185 is:
$sudo tcpdump -n src host 192.168.1.185
To find the traffic from any source to port 80, use:
$sudo tcpdump -n dst port 80
Complex filter
And may be used (&&) or (||), but not (!) Operator combined filter.
For example, to capture all HTTP traffic from the source IP address 192.168.1.185, use the following command:
$sudo tcpdump -n src 192.168.1.185 and tcp port 80
You can also use parentheses to group and create a more complex filter:
$sudo tcpdump -n 'host 192.168.1.185 and (tcp port 80 or tcp port 443)'
To avoid parsing errors when using special characters include the filter enclosed in single quotes.
This is another example of the command, the source IP address for all traffic except 192.168.1.185 captured from the SSH:
$sudo tcpdump -n src 192.168.1.185 and not dst port 22
Check the packet
By default, tcpdump capture packet header only. However, sometimes you may need to check the contents of the packet.
tcpdump allows you to print the contents of the packet in ASCII and hexadecimal format.
-A option tells tcpdump output of each data packet in ASCII format in hexadecimal format -x output of each data packet:
$sudo tcpdump -n -A
To display the contents of the packet in hexadecimal and ASCII code, use the -X option:
$sudo tcpdump -n -X
Read and write to the file capture
Another useful feature of the packet tcpdump is written to the file. When you capture a lot of data packets or data packets to be captured for later analysis, which is very convenient.
To start writing to the file, use the -w option, followed by the capture output file:
$sudo tcpdump -n -w data.pcap
The above command will save the contents to a file named data.pcap captured in. You can name the file as needed, but using the name .pcap extension (packet capture) is a common convention.
When using the -w option, the output will not be displayed on the screen. tcpdump write raw data packets and creates a binary file, and regular text editor can not read the file.
To check the contents of the file, use the -r option to invoke tcpdump:
$sudo tcpdump -r data.pcap
If you want to run in the background tcpdump, add at the end of the command ampersand (&).
You can also use other packet analyzer tool (e.g. the Wireshark) Check capture files.
For a long time to capture packets, you can enable file rotation. tcpdump allows you to create a new file or at specified time intervals or fixed size rotary dump file. The following command will create up to ten 200MB files are named file.pcap0, file.pcap1, and so on: before overwriting the old file.
$sudo tcpdump -n -W 5 -C 200 -w /tmp/file.pcap
After generating five files, older files will be overwritten.
Please note that you should only run tcpdump during troubleshooting.
If you want to start tcpdump at a particular time, you can use cronjob. tcpdump is no option to exit after a specified time. You can stop using tcpdump command timeout after a period of time. For example, to quit after one minute, you can use:
$sudo timeout 60 tcpdump -n -w data.pcap
to sum up
Tcpdump command is used to analyze and resolve network-related problems-line tool.
This article introduces you to the basic tcpdump usage and syntax. For a more in-depth documentation, visit tcpdump website.
If you have any questions or feedback, please feel free to comment.