TcpDump is command line network packet analyser. Mostly used in all Unix and Linux favours. It allow us to capture and analyse network traffic floating on server Ethernet cards. In tcpdump we have great flexibility to capture and filter network packets as per requirement. Mostly we need to analyse traffic for some troubleshooting, where network packets will provide us some leads on issues. TcpDump also allow us to save network traffic in a file, so that we can read and analyse it later or send it to some other team for analyse.

Let’s see some of important examples of tcpdump and their explanation.

1.Capture network packets

If we just run tcpdump, it will capture network floating to and from Machine.

tcpdump

2.Capture for specific Ethernet card

If you run tcpdump without any variable then it will capture only primary interface like eth0 only, but in case you like to capture packets float in or out from specific Ethernet card, then use -i  options which will capture network floating on that specific Ethernet card only. By default it would capture only primary interface like eth0 only

tcpdump -i eth1

3.Capture network packets floating on all interfaces

If we just run tcpdump, it will capture network floating to and from Machine on primary Ethernet card eth0. But if you like to capture network packets on all interfaces, then you could use -i any options with tcpdump

tcpdump -i any

4.How to know Ethernet card available for capturing network

Sometime, it would important to know available interfaces for capturing network data. For that you can use -D option with tcpdump.

tcpdump -D

5.Capture network for specific port or protocol

How to know network traffic generated for specific port. For this we can use port options with tcpdump.

tcpdump port 80
tcpdump port http         #This would include default port of mentioned protocol

6.Capture network for specific port or protocol on specific interface only

How to capture network packets of specific port running in and out on specific interface. For this you could combine -i and port in one command in tcpdump.

tcpdump -i eth1 port 80

7.Capture network for specific source or destination port

How to capture network packets of specific port running in and out on specific interface

tcpdump dst port 22
tcpdump dst port 22

8.Capture network expect for specific port and host

How to capture network packets of expect specific port running in and out on specific interface. Below command will capture all traffic on all interfaces expect ssh port for one specific host.

tcpdump -i any not port 22 and net 192.168.1.104

9.Capture network with verbose output

Sometime we like to see some more information out of tcpdump outputs, tcpdump provides some options for same. Describe below
-v When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum. When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.
-vv Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
-vvv Even more verbose output. For example, telnet SB … SE options are printed in full. With -X Telnet options are printed in hex as well.

tcpdump -v
tcpdump -vv
tcpdump -vvv

10.Capture network with timestamps output

Sometime we need to analyse network packets with timestamps.
-t Don’t print a timestamp on each dump line.
-tt Print an unformatted timestamp on each dump line.
-tttt Print a delta (in micro-seconds) between current and previous line on each dump line.
-tttt Print a timestamp in default format proceeded by date on each dump line.

tcpdump -t
tcpdump -tt
tcpdump -ttt
tcpdump -tttt

11.Capture network with verbose output Hexadecimal and ASCII

Sometime we like to see some more information out of tcpdump outputs, tcpdump provides some options for same. Describe below
-x Print each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed.Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the require padding.
-xx Print each packet, including its link level header, in hex.
-X Print each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
-XX Print each packet, including its link level header, in hex and ASCII.

tcpdump -x
tcpdump -xx
tcpdump -X
tcpdump -XX

12.Capture network and exit after 5 packets

Sometime we don’t want to capture entire network for long time, we just like to see network for some number of packets. for same we can use -c with number of packets that like capture in tcpdump.

tcpdump -c 5 -n port 3875

13.Capture network between localhost and another host

Sometime we like to monitor network packets between present server and some another host. This could be done by using net option with tcpdump.

tcpdump net srv12.geekpills.com

14.Capture network for source or destination host

Sometime we like to capture network packets on basis some source and destination Hostname or IP address, These could easily be done by src and dst Address.

tcpdump src srv34.geekpills.com
tcpdump dst srv87.geekpills.com

15.Capture icmp and snmp packets

How to capture network packets for icmp or SNMP, sometime we like to monitor network packets for SNMP traffic. These traffic are used to monitor SNMP data floating to monitor various devices over network between SNMP clients and SNMP servers to collect data that could help for monitoring purpose.

tcpdump icmp
tcpdump port 161 or port 162

16.Capture network packets for port-range

We can capture network packets for various ports in one command. This is very useful in case we like monitor some range of ports for analysis. this could be done by portrange option with tcpdump.

tcpdump portrange 1-100

17.Capture network packets with logical or and logical and

TcpDump has great flexibility and has options like logical or and logical and operator. Different requirement could be combine to achieve single objective with some these operators. some of these examples provided below.

tcpdump src 192.168.0.124 and dst port 22   #SSH connection coming from 192.168.0.124

tcpdump dst 192.168.0.124 and dst port 22   #SSH connection towards 192.168.0.124

tcpdump -i any icmp or port http  #Display network packets on any Ethernet card for icmp and port 80

18.Capture icmp, arp, udp , tcp packets

We can capture various different protocol traffic with tcpdump command, below are commands for some of them.

tcpdump icmp
tcpdump arp
tcpdump udp
tcpdump udp or icmp
tcpdump arp or tcp

19.Capture network packets based on size

Sometime we like to monitor network packets for some specific packet size. TcpDump has such flexibility through which we can selectivity extract such packets from entire network. Below are examples.

tcpdump greater 128
tcpdump less 248
tcpdump < 128         # Packet less than 128
tcpdump > 256         # Packet greater than 256

20.Capture network packets with customise snaplen size rather then default 65535 bytes

TcpDump allow us to capture network packets for specific size rather than default.

tcpdump -s 100

21.Capture network and save it in a file

Sometime we need to capture network traffic and want to save in a file, so that we can read and analyse it later.

tcpdump -i any port 80 -w network.pcap
tcpdump -r network.pcap
reading from file network.pcap, link-type LINUX_SLL (Linux cooked)
19:22:21.179559 IP 192.168.0.1.54850 > srv21.geekpills.com.http: Flags [S], seq 2465545943, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:22:21.179644 IP srv21.geekpills.com.http > 192.168.0.1.54850: Flags [S.], seq 2362017842, ack 2465545944, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
19:22:21.179851 IP 192.168.0.1.54850 > srv21.geekpills.com.http: Flags [.], ack 1, win 256, length 0
19:22:21.180002 IP 192.168.0.1.54850 > srv21.geekpills.com.http: Flags [P.], seq 1:462, ack 1, win 256, length 461

22.TcpDump filters

Tcp flag headers are located on the 14 bytes of its header. As numbering start at byte 0, The TCP flag header is located on 13 byte place.
In that 13 byte, as we eight bit present. Out of eight, six belongs to TCP. rest two reserved and set to zero. So Flags have their place for every bit has its significance and meaning which can co-relate and learn with their binary values determine below.
Final (Fin) = 1
Sync (Syn) = 2
Reset (Rst) = 4
Push = 8
Acknowledgement (ack) = 16
Urgent (Urg) = 32
Reserved = 64 and 128 (should be zero)

if multiple flags are used in TCP headers, binary value would sum of those that were set.
Fin, ack = 17 (1 + 16)
Syn, ack = 18 (2 + 16)
Push, ack = 24 (8 + 16)
Fin, Push = 9 (1 + 8)
Fin, Push, ack = 25 (1 + 8 + 16)

These values are always in form of 0 and 1, But their binary value is determine as per their location in TCP header.
TCP_Flag

 

 

 

 

 

 

 

 

 

So now if we like to see some packets of particular Flag. So we have write tcpdump command like.
tcpdump tcp[13]== 16 , This would show Ack packets.
So conceptually we have to write like header[byte] == value.

It could be could be many ways to capture network packets through this was. Some of them describe below.

 tcpdump 'tcp[13] & 32!=0'        Show all URGENT (URG) packets 
 tcpdump 'tcp[13] & 16!=0'        Show all ACKNOWLEDGE (ACK) packets… 
 tcpdump 'tcp[13] & 8!=0'       Show me all PUSH (PSH) packets… 
 tcpdump 'tcp[13] & 4!=0'        Show me all RESET (RST) packets… 
 tcpdump 'tcp[13] & 2!=0'        Show me all SYNCHRONIZE (SYN) packets… 
 tcpdump 'tcp[13] & 1!=0'        Show me all FINISH (FIN) packets… 
 tcpdump 'tcp[13]=18'        Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…