tcpdump command
LINUX-Frequently used commands
tcpdump command Capturing packets. |
Syntax |
tcpdump [Option] |
The tcpdump command is used to capture packets on Linux. Just run tcpdump and you will see the captured packets. To exit the tcpdump command, enter the 'Ctrl' + 'c' keys. |
Frequently used options |
-l Display details of a file -t Sort files by timestamp (ascending) -lt Display file details sorted by timestamp -lrt Display file details sorted backwards by timestamp. |
Example: Capture with a NIC named "eno1″. |
$ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:42:23.855066 IP host1 > centos7: ICMP echo request, id 1, seq 4799, length 40
12:42:23.855102 IP centos7 > host1: ICMP echo reply, id 1, seq 4799, length 40
|
Example: No interface specified, capture on all interfaces : -i any. |
Used in situations where you don't know which interface you'll come to. $ su - ← Become a super user root Password: Enter root password # tcpdump -i any tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
12:21:52.503097 IP centos7.ssh > host1.53698: Flags [P.], seq 21799904:21800144, ack 3372923732, win 162, length 240
12:21:52.504631 IP host1.53698 > centos7.ssh: Flags [.], ack 240, win 251, length 0
|
Example: Display by IP address instead of hostname : -n. |
Packet capture to SSH server at 192.168.0.2. $ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:44:36.104944 IP 192.168.0.1.59616 > 192.168.0.2.ssh: Flags [S], seq 1255080635, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:44:36.104978 IP 192.168.0.2.ssh > 192.168.0.1.59616: Flags [R.], seq 0, ack 1255080636, win 0, length 0
|
Example: Display MAC address : -e. |
Display the contents of the packet as a hexadecimal bit sequence. $ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 -x tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en01, link-type EN10MB (Ethernet), capture size 65535 bytes
12:32:24.299568 IP centos7.ssh > host1.53698: Flags [P.], seq 22627408:22627648, ack 3372954644, win 162, length 240
0x0000: 4510 0118 99a2 4000 4006 def8 0afe a12d
0x0010: 0ae9 0a21 0390 d1c2 0159 4450 c90b 3414
0x0020: 5018 00a2 c23f 0000 111b 62b5 2365 8eb8
0x0030: 2622 4c74 6f48 7378 b9e2 1914 1e89 9275
0x0040: 259b bb94 366f 31d6 14db 55c6 350e b056
0x0050: 10e5 0f93 2816 c9b9 e710 52d8 9fc9 0aaf
|
Example: Specify protocol: -p "protocol name". |
Specify the protocol to be displayed. The protocol name can be ip/arp/icmp/tcp/udp etc. $ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 -p icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:36:27.355676 IP host1 > centos7: ICMP echo request, id 2, seq 24653, length 40
12:36:27.355754 IP centos7 > host1: ICMP echo reply, id 2, seq 24653, length 40
|
Example: Specify IP address: host "IP address". |
Specify the IP address you want to display; if you specify host, the host will be displayed if it is in either the source or destination.. $ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 host 192.168.0.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:40:32.324676 IP 192.168.0.2 > centos7: ICMP echo request, id 2, seq 24653, length 40
12:40:32.367754 IP centos7 > 192.168.0.2: ICMP echo reply, id 2, seq 24653, length 40
|
Example: Specify the destination IP address: dst "IP address". |
Specify the IP address you wish to display. If the specified host is in the destination only, it will be displayed. $ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 dst 192.168.0.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:40:32.367754 IP centos7 > 192.168.0.2: ICMP echo reply, id 2, seq 24653, length 40
|
Example: Specify port number: port "port number". |
Specify the port number you wish to display. By default, tcp and udp are the same. Both source and destination are also displayed. You can also use the protocol name if it is a wellknown port number (22 for SSH, 80 for HTTP, etc.). $ su - ← Become a super user root Password: Enter root password # tcpdump -i eno1 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:51:51.475653 IP centos7.ssh > host1.53698: Flags [P.], seq 23108672:23108912, ack 3372973860, win 162, length 240
12:51:51.476882 IP host1.53698 > centos7.ssh: Flags [.], ack 240, win 254, length 0
# tcpdump -i eno1 port ssh
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:51:55.193812 IP centos7.ssh > host1.53698: Flags [P.], seq 23108692:23109912, ack 3372973811, win 162, length 240
12:51:55.193832 IP host1.53698 > centos7.ssh: Flags [.], ack 240, win 254, length 0
|