How to Use tcpdump to Capture and Analyze Network Traffic

Technical writer

Network

05.11.2024

Reading time: 7 min

Sometimes, troubleshooting network issues requires capturing network traffic. tcpdump is a network traffic analyzer, or "sniffer," that allows you to intercept and analyze network traffic passing through the utility. This tool provides a rich set of options and various filters, making it versatile for different purposes. tcpdump is entirely console-based, meaning it doesn’t have a graphical interface, so it can be run on servers without GUI support. The first version of tcpdump was released back in 1988. Since then, it has been actively maintained, with new versions released every year.

This article will cover various scenarios for using tcpdump.

Prerequisites

To follow this tutorial, you will need:

A cloud server or virtual machine with a Linux OS installed. Any Linux distribution will work.
Access to the root user or a user with sudo privileges.

Installing tcpdump

We will install tcpdump on Ubuntu 22.04. The tcpdump package is available in the OS’s official repository. First, update the package index:

sudo apt update

Next, install the utility:

sudo apt -y install tcpdump

Confirm that the installation was successful by checking the tcpdump version:

tcpdump --version

Note that further use of the utility requires running it as the root user or a user with sudo privileges.

Running tcpdump Without Parameters

If you run tcpdump without any parameters, it will start capturing all traffic on all available interfaces in the system and display the data on the screen (stdout):

tcpdump

To stop the program, press Ctrl + C.

After each run, tcpdump provides the following information:

packets captured — shows the number of packets captured (packets that were received and processed by tcpdump).
packets received by filter — shows the number of packets captured using filters.
packets dropped by kernel — shows the number of packets dropped by the OS kernel.

By default, tcpdump does not save its output. We will discuss saving the output to a file later in the article.

tcpdump Output Format

Let's analyze the output of a captured packet using the TCP protocol as an example. By default, tcpdump displays the following data for each capture:

09:33:57.063196 IP nexus-test.com.ssh > 192.168.111.1.50653: Flags [P.], seq 27376:27440, ack 321, win 521, length 64

The parameter descriptions are provided in the table below.

Parameter	Description
`09:33:57.063196`	Timestamp. Uses the format `hours:minutes:seconds.fraction`, where "fraction" represents seconds from midnight. In this example, the packet was captured at 9:33:57.063196.
`IP`	Protocol used.
`nexus-test.com.ssh`	Domain name (or IP address) and port of the source host. Here, `ssh` is shown instead of port number 22. To display addresses and protocols as numbers, run `tcpdump` with the `-n` option.
`192.168.111.1.50653`	Domain name (or IP address) and port of the destination host.
`Flags [P.]`	ACK flag(s) used to indicate the connection state. Multiple values are possible. In this example, `P` is used, indicating the PUSH flag for processing packets immediately rather than buffering them.
`seq 27376:27440`	Sequence number of data in the packet. Shows the data range as bytes 27376 through 27440 in the packet.
`ack 321`	Acknowledgment of the received packet.
`win 521`	Window size in bytes, showing the available buffer space for receiving data.
`length 64`	Packet length in bytes, indicating the payload size as the difference between the first and last sequence bytes.

Practical Use of tcpdump

Let’s move on to practical applications of tcpdump with examples.

Displaying a List of Network Interfaces

To list all network interfaces available in the system for traffic capture, use:

tcpdump -D

Capturing Traffic from a Specific Network Interface

By default, tcpdump captures traffic from all available interfaces. To capture traffic from a specific network interface (e.g., ens33), use:

tcpdump -i ens33

Disabling IP Address to Hostname Resolution

By default, tcpdump converts IP addresses to hostnames and replaces port numbers with service names. To prevent tcpdump from converting IP addresses to hostnames, add the -n option:

tcpdump -n

To disable both IP-to-hostname and port-to-service name conversions, use the -nn option:

tcpdump -nn

Capturing a Specific Number of Packets

By default, tcpdump captures an unlimited number of packets. To capture a specified number of packets, for example, 4 packets, use the -c option:

tcpdump -c 4

Adding Date Information

tcpdump does not display the date of packet capture by default. To include the date in the output, use the -tttt option. The date will appear at the beginning of each line in the format year:month:day:

tcpdump -tttt

Packet Filtering in tcpdump

tcpdump has extensive filters that allow capturing only the desired packets. Here are some key filters.

Filtering by Port

To capture traffic on a specific port, use the port option. For example, to capture traffic on port 80 directed towards the destination, you can specify dst:

tcpdump dst -n port 80

You can also specify a range of ports:

tcpdump -n portrange 80-443

Filtering by Protocol

tcpdump supports filtering by protocols. Supported protocol values include: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, and ipv6. Examples for capturing specific protocols are:

tcpdump icmp

tcpdump tcp

tcpdump arp

tcpdump udp

Filtering by Packet Size

tcpdump allows capturing packets of a specified size using two options:

less — captures packets smaller than the specified number of bytes.
greater — captures packets larger than the specified number of bytes.

Here are some examples:

Capture traffic with packets that are no more than 43 bytes in size:

tcpdump less 43

Capture traffic with packets larger than 43 bytes:

tcpdump greater 43

Note that the packet size includes header size: an Ethernet header without CRC occupies 14 bytes, an IPv4 header occupies 20 bytes, and an ICMP header occupies 8 bytes.

Filtering by MAC Address

To filter by MAC address, use the ether host option. For example, to capture any traffic sent to or from a specified MAC address (e.g., 00:0c:29:c7:00:3f), use:

tcpdump ether host 00:0c:29:c7:00:3f

Filtering by Source or Destination Address

You can filter traffic using the IP address or hostname of the source or destination.

To capture traffic originating from a specific host, use the src option:

tcpdump -nn src 192.168.36.132

To capture traffic directed to a specific host, use the dst option:

tcpdump -nn dst 192.168.36.132

Using Logical Operators in tcpdump

tcpdump supports various logical operators, allowing you to combine options. The following operators are supported:

and or && — logical "AND." Combines multiple conditions and shows results matching all conditions.
or or || — logical "OR." Combines multiple conditions and shows results matching at least one condition.
not or ! — logical "NOT." Excludes specified conditions, showing results that do not match the given condition.

Here are examples of using logical operators:

Capture packets sent from the host 192.168.36.132 and only those listening on port 22:

tcpdump -nn src 192.168.36.132 and port 22

Capture packets on all available interfaces that are listening on either port 22 or port 80:

tcpdump -nn port 22 or port 80

Capture all packets except ICMP packets:

tcpdump -nn not icmp

Saving Output to a File

As previously mentioned, tcpdump does not save its output to a file by default. To save captured data to a file, use the -w option, specifying the filename with a .pcap extension:

tcpdump -nn src 192.168.36.132 -w results.pcap

While saving to a file, results will not display in the terminal. To stop capturing packets, press CTRL + C.

To read the data saved in the file, use the -r option, followed by the filename where the tcpdump results were saved:

tcpdump -r results.pcap

Conclusion

tcpdump is a powerful command-line tool for analyzing networks and identifying issues. The utility supports a wide array of options, enabling users to filter for specific packet information.