How to use the tcpdump command in Linux 03/26 Update SLTechnology News&Howtos

How to use the tcpdump command in Linux

2025-03-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/01 Report--

How is the tcpdump command used in Linux? In view of this problem, this article introduces the corresponding analysis and answers in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

Preface

Tcpdump is a well-known command line packet analysis tool. We can capture real-time TCP/IP packets using the tcpdump command, and these packets can also be saved to a file. These captured packets can then be analyzed by the tcpdump command. The tcpdump command becomes very convenient when troubleshooting at the network level.

Tcpdump is available in most Linux distributions, and for Debian-based Linux, you can install it using the apt command.

# apt install tcpdump-y

On RPM-based Linux operating systems, you can install tcpdump using the following yum command.

# yum install tcpdump-y

When we run the tcpdump command without any options, it captures packets for all interfaces. Therefore, to stop or cancel the tcpdump command, type ctrl+c. In this tutorial, we will use different examples to discuss how to capture and analyze packets.

Example: 1) capture packets from a specific interface

When we run the tcpdump command without any option, it captures packets on all interfaces, so to capture packets from a specific interface, use the option-I, followed by the interface name.

Syntax:

# tcpdump-I {API name}

Suppose I want to capture packets from interface enp0s3.

The output will be as follows

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes06:43:22.905890 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952160 seq 21952540, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 38006 purve4322 906045 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952540 1.example.com.ssh 21952760 Ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 2200643 Velcro 22.906150 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952760 options 21952980, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 22006options 4322. 906291 IP 169.144.0.1.39374 > compute-0-1.example.com.ssh: Flags [.], ack 21952980, win 13094, options nop,nop TS val 6580205 ecr 26164373], length 006 length 43 IP 22.906303 IP 169.144.0.1.39374 > compute-0-1.example.com.ssh: Flags [P.], seq 13537 length 13609, ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 7206144.0.1.39374: Flags [P.], seq 21952980 options 21953200, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205] Length 220 ^ C109930 packets captured110065 packets received by filter133 packets dropped by kernel [[email protected] ~] #

Example: 2) capture a specific number of packets from a specific interface

Suppose we want to capture 12 packets from a specific interface, such as enp0s3, which can be easily achieved using the option-c {quantity}-I {interface name}.

Root@compute-0-1 ~] # tcpdump-c 12-I enp0s3

The above command will produce the output shown below

N-Number-Packsets-tcpdump-interface

Example: 3) display all available interfaces of tcpdump

Use the-D option to display all available interfaces for the tcpdump command

[root@compute-0-1 ~] # tcpdump-D1.enp0s32.enp0s83.ovs-system4.br-int5.br-tun6.nflog (Linux netfilter log (NFLOG) interface) 7.nfqueue (Linux netfilter queue (NFQUEUE) interface) 8.usbmon1 (USB bus number 1) 9.usbmon2 (USB bus number 2) 10.qbra692e993-2811.qvoa692e993-2812.qvba692e993-2813.tapa692e993-2814.vxlan_sys_478915.any (Pseudo-device that captures on all interfaces) 16.lo [Loopback] [[email protected]] #

I am running the tcpdump command on one of my openstack compute nodes, which is why you will see the digital interface, label interface, bridge, and vxlan interface in the output.

Example: 4) capture packets with readable timestamps (- tttt option)

By default, a readable timestamp is not displayed in the output of the tcpdump command, and if you want to associate a readable timestamp with each captured packet, use the-tttt option, as shown below

[[email protected] ~] # tcpdump-c 8-tttt-I enp0s3tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes2018-08-25 23 Freight 23 bytes2018 36.954883 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 14492062471449206435, ack 30620950, win 291, options [nop,nop,TS val 86178422 ecr 21583714] Length 1882018-08-25 2323 Flags IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 13585, options [nop,nop,TS val 21583717 ecr 86178422], length 02018-08-25 2323 IP controller0.example.com.amqp IP controller0.example.com.amqp > compute-0-1.example.com.57818: Flags [P.], seq 814607956 Suzhou 814607964, ack 2387094506, win 252, options [nop,nop,TS val 86172228 ecr 86176695] Length 82018-08-25 23 Flags 23 IP compute-0-1.example.com.57818 > controller0.example.com.amqp: Flags [.], ack 8, win 237, options [nop,nop,TS val 86178607 ecr 86172228], length 02018-08-25 23 23 IP compute-0 23 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [P.], seq 1080415080 80U 1080417400, ack 16909362, win 237, options [nop,nop,TS val 86178822 ecr 86163054] Length 23202018-08-25 23 compute-0 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [.], ack 2320, win 1432, options [nop,nop,TS val 86172448 ecr 86178822], length 02018-08-25 23 Flags 23 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags [P.], seq 1:22, ack 2320, win 1432, options [nop,nop,TS val 86172449 ecr 86178822] Length 212018-08-25 23 1.example.com.57836 23 controller0.example.com.amqp: Flags [.], ack 22, win 237, options [nop,nop,TS val 86178825 ecr 86172449], length 08 packets captured134 packets received by filter69 packets dropped by kernel [[email protected] ~] #

Example: 5) capture the packet and save it to a file (- w option)

Use the-w option in the tcpdump command to save the captured TCP/IP packets to a file so that we can analyze them later for further analysis.

Syntax:

# tcpdump-w file name. Pcap-I {interface name}

Note: the file extension must be .pcap.

Suppose I want to save the package captured by the enp0s3 interface to a file named enp0s3-26082018.pcap.

[root@compute-0-1] # tcpdump-w enp0s3-26082018.pcap-I enp0s3

The above command will produce the output shown below

[root@compute-0-1 ~] # tcpdump-w enp0s3-26082018.pcap-I enp0s3tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes ^ C841 packets captured845 packets received by filter0 packets dropped by Kernel [root @ compute-0-1 ~] # lsanaconda-ks.cfg enp0s3-26082018.pcap [root @ compute-0-1 ~] #

Capture and save packets with a size greater than N bytes.

[root@compute-0-1] # tcpdump-w enp0s3-26082018-2.pcap greater 1024

Capture and save packets with a size less than N bytes.

[root@compute-0-1] # tcpdump-w enp0s3-26082018-3.pcap less 1024

Example: 6) read the packet from the saved file (- r option)

In the above example, we have saved the captured packets to a file, and we can use the option-r to read these packets from the file, as shown below

[root@compute-0-1] # tcpdump-r enp0s3-26082018.pcap

Read the contents of the package with a highly readable timestamp

[root@compute-0-1] # tcpdump-tttt-r enp0s3-26082018.pcapreading from file enp0s3-26082018.pcap, link-type EN10MB (Ethernet) 2018-08-25 22 22 03tttt 17.249648 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1426167803purge 1426167927, ack 3061962134, win 291, options [nop,nop,TS val 81358717 ecr 20378789] Length 1242018-08-25 22 22 compute-0 compute-0-1.example.com.ssh: Flags [.], ack 124, win 564, options [nop,nop,TS val 20378791 ecr 81358717], length 02018-08-25 22 22 Fran 03VV 17.4559 IP controller0.example.com.amqp > compute-0-1.example.com.57836: Flags, ack 1079416895, win 1432, options [nop,nop,TS val 81352560 ecr 81353913] Length 02018-08-25 22 22 length 031.example.com.57836 17.454642 IP compute-0-1.example.com.57836 > controller0.example.com.amqp: Flags [.], ack 1, win 237, options [nop,nop,TS val 81358922 ecr 81317504], length 02018-08-25 22 22 Ride 031.example.com.57836 17.646945 IP compute-0-1.example.com.57788 > controller0.example.com.amqp: Flags [.], seq 106760587V106762035, ack 688390730, win 237, options [nop,nop,TS val 81359114 ecr 81350901] Length 14482018-08-25 22 22 controller0.example.com.amqp: Flags [P.], seq 1448 1.example.com.57788 1956, ack 1, win 237, options [nop,nop,TS val 81359114 ecr 81350901], length 5082018-08-25 22 22 1.example.com.57788 03VV 17.647502 IP controller0.example.com.amqp > compute-0-1.example.com.57788: Flags [.], ack 1956, win 1432, options [nop,nop,TS val 81352753 ecr 81359114] Length 0.

Example: 7) capture only IP address packets on a specific interface (- n option)

Using the-n option in the tcpdump command, we can capture only IP address packets on a specific interface, as shown below

[root@compute-0-1] # tcpdump-n-I enp0s3

The output of the above command is as follows

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes22:22:28.537904 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1433301395 seq 1433301583, ack 3061976250, win 291, options [nop,nop,TS val 82510005 ecr 206610], length 18822 VRV 28.538173 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 188, win 9086, options [nop] Nop,TS val 20666613 ecr 82510005], length 022 22 length 22 IP 169.144.0.20.ssh 28.538573 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188V 552, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 36422 22VOR 28.538736 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 552, win 9086, options [nop,nop,TS val 206613 ecr 82510006] Length 022 Flags 22 Flags 28.538874 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 552 Flags 892, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 34022 22 Flags 28.539042 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 892, win 9086, options [nop,nop,TS val 20666613 ecr 82510006] Length 022 Flags 22 Flags 28.539178 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 892 Flags 1232, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 34022 22 Flags 28.539282 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1232, win 9086, options [nop,nop,TS val 20666614 ecr 82510006] Length 022 Flags 22 Flags 28.539479 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1232 Flags 1572, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666614], length 34022 22 Flags 28.539595 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1572, win 9086, options [nop,nop,TS val 20666614 ecr 82510006] Length 022 Flags 22 Flags 28.539760 IP 169.144.0.20.ssh > 169.144.0.1.39406: ack 1, win 291, options [nop,nop,TS val 82510007 ecr 20666614] Length 340....

You can also capture N IP address packets using the-c and-N options in the tcpdump command

[root@compute-0-1] # tcpdump-c 25-n-I enp0s3

Example: 8) capture only TCP packets on a specific interface

In the tcpdump command, we can use the tcp option to capture only TCP packets

[root@compute-0-1 ~] # tcpdump-I enp0s3 tcptcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes22:36:54.521053 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1433336467 verbose output suppressed 1433336655, ack 3061986618, win 291, options [nop,nop,TS val 83375988 ecr 20883106] Length 18822 IP 164.521474 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 188, win 9086, options [nop,nop,TS val 20883109 ecr 83375988], length 022 Vuit36 169.144.0.20.ssh 54.522214 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188Flags 552, ack 1, win 291, options [nop,nop,TS val 83375989 ecr 20883109] Length 36422 length 3622508 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 552, win 9086, options [nop,nop,TS val 20883109 ecr 83375989], length 022 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 552892, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109] Length 34022 IP 34.523006 IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 892, win 9086, options [nop,nop,TS val 20883109 ecr 83375990], length 022 Vuit523304 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 8921232, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109] Length 34022 36 169.144.0.20.ssh IP 169.144.0.1.39406 > 169.144.0.20.ssh: Flags [.], ack 1232, win 9086, options [nop,nop,TS val 20883110 ecr 83375990], length 022 36 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1232 1572, ack 1, win 291, options [nop,nop,TS val 83375991 ecr 20883110] Length 340. ..

Example: 9) capture packets from a specific port on a specific interface

Using the tcpdump command, we can capture packets from a specific port (for example, 22) on a specific interface enp0s3.

Syntax:

# tcpdump-I {interface-name} port {Port_Number} [root@compute-0-1 ~] # tcpdump-I enp0s3 port 22tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes22:54:45.032412 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1435010787port 1435010975, ack 3061993834, win 291, options [nop,nop,TS val 84446499 ecr 21150734] Length 18822 1.example.com.ssh 54 IP compute-0 45.032631 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 9131, options [nop,nop,TS val 21150737 ecr 84446499], length 022 55.037926 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 188 IP compute-0 576, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21150737] Length 38822 IP 55.038106 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 576, win 9154, options [nop,nop,TS val 21153238 ecr 84456505], length 022 Vega 54 1.example.com.ssh 55.038286 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 576D 940, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21153238] Length 36422 1.example.com.ssh 54 IP 55.038564 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 940, win 9177, options [nop,nop,TS val 21153238 ecr 84456505], length 022 Flags 54 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 940 compute-0 1304, ack 1, win 291, options [nop,nop,TS val 84456506 ecr 21153238] Length 364.

Example: 10) capture packets from a specific source IP on a specific interface

In the tcpdump command, using the src keyword followed by the IP address, we can capture packets from a specific source IP

Syntax:

# tcpdump-n-I {Interface name} src {IP address}

Examples are as follows

[root@compute-0-1] # tcpdump-n-I enp0s3 src 169.144.0.10tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes23:03:45.912733 IP 169.144.0.10.amqp > 169.144.0.20.57800: Flags [.], ack 526623844, win 243, options [nop,nop,TS val 84981008 ecr 84982372] Length 023 length 03Flags 46.136757 IP 169.144.0.10.amqp > 169.144.0.20.57796: Flags [.], ack 2535995970, win 252, options [nop,nop,TS val 84981232 ecr 84982596], length 023 03Flags IP 169.144.0.10.amqp > 169.144.0.20.57798: Flags [.], ack 3623063621, win 243, options [nop,nop,TS val 84981248 ecr 84982612] Length 023 Flags 46.361160 IP 169.144.0.10.amqp > 169.144.0.20.57802: Flags [.], ack 2140263945, win 252, options [nop,nop,TS val 84981456 ecr 84982821], length 023 Vuit03Flags 46.376926 IP 169.144.0.10.amqp > 169.144.0.20.57808: Flags [.], ack 175946224, win 252, options [nop,nop,TS val 84981472 ecr 84982836] Length 023 Flags 46.505242 IP 169.144.0.10.amqp > 169.144.0.20.57810: Flags [.], ack 1016089556, win 252, options [nop,nop,TS val 84981600 ecr 84982965], length 023 Vuit03Flags 46.616994 IP 169.144.0.10.amqp > 169.144.0.20.57812: Flags [.], ack 832263835, win 252, options [nop,nop,TS val 84981712 ecr 84983076] Length 023 Flags 46.809344 IP 169.144.0.10.amqp > 169.144.0.20.57814: Flags [.], ack 2781799939, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 023 Vuit03Flags 46.809485 IP 169.144.0.10.amqp > 169.144.0.20.57816: Flags [.], ack 1662816815, win 252, options [nop,nop,TS val 84981904 ecr 84983268] Length 023 03Flags 47.033301 IP 169.144.0.10.amqp > 169.144.0.20.57818: Flags [.], ack 2387094362, win 252, options [nop,nop,TS val 84982128 ecr 84983492], length 0 ^ C10 packets captured12 packets received by filter0 packets dropped by kernel

Example: 11) capture packets from a specific destination IP on a specific interface

Syntax:

# tcpdump-n-I {Interface name} dst {IP address}

[root@compute-0-1] # tcpdump-n-I enp0s3 dst 169.144.0.1tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes23:10:43.520967 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 1439564171 enp0s3 dst 169.144.0.1tcpdump 1439564359, ack 3062005550, win 291, options [nop,nop,TS val 85404988 ecr 21390356] Length 18823 10 Flags 43.521441 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 188 Flags 408, ack 1, win 291, options [nop,nop,TS val 85404988 ecr 21390359], length 22023 10 Flags 43.521719 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 408 Flags 604, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359] Length 19623 10 Flags 43.521993 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 604 Flags 800, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 19623 10 IP 169.144.0.20.ssh 43.522157 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 800Rank 996, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359] Length 19623 Flags 10 Flags 43.522346 IP 169.144.0.20.ssh > 169.144.0.1.39406: Flags [P.], seq 996 Flags 1192, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359] Length 196.

Example: 12) capture TCP packet communication between two hosts

Suppose I want to capture TCP packets between two hosts 169.144.0.1 and 169.144.0.20, as shown below

[root@compute-0-1] # tcpdump-w two-host-tcp-comm.pcap-I enp0s3 tcp and\ (host 169.144.0.1 or host 169.144.0.20\)

Use the tcpdump command to capture only the flow of SSH packets between two hosts

[root@compute-0-1] # tcpdump-w ssh-comm-two-hosts.pcap-I enp0s3 src 169.144.0.1 and port 22 and dst 169.144.0.20 and port 22

Example: 13) capture UDP network packets between two hosts (back and forth)

Syntax:

# tcpdump-w-s-i udp and\ (host and host\)

[root@compute-0-1] # tcpdump-w two-host-comm.pcap-s 1000-I enp0s3 udp and\ (host 169.144.0.10 and host 169.144.0.20\)

Example: 14) capture packets in hexadecimal and ASCII format

Using the tcpdump command, we can capture TCP/IP packets in ASCII and hexadecimal format

To capture packets in ASCII format using the-An option, the example is as follows:

[root@compute-0-1] # tcpdump-c 10-A-I enp0s3tcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes00:37:10.520060 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1452637331enp0s3tcpdump 1452637519, ack 3062125586, win 333, options [nop,nop,TS val 90591987 ecr 22687106] Length 188E. [root @ compute-0-1 @ .V. |... T.MT.fr. TV. B. root@compute-0.] Z5. {.'p.]. "}. Z.. 9.9." root@compute-0-1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.