TCPDUMP is a tool that is used to analyze TCP/IP packets. It was first released in 1988 and has since become a very powerful and widely used traffic analyzer on Linux as well as many other operating systems.
TCPDUMP allows you to listen for all inbound and outbound traffic from all interfaces. More importantly, it can filter traffic by interface, host, destination or source host, traffic type, and many other criteria. During troubleshooting, this helps to isolate only those packets that are relevant to you, so as not to be overwhelmed by the stream of bits and bytes.
In this post, we’ll go over a list of very common tcpdump options to get you started. This will give you a good idea of how much help you can get from it.
In most cases, to use tcpdump, you must be root or run commands with the «sudo» keyword. This is because the packet capture mechanism requires elevated privileges. So, if you run the tcpdump command and you get no results, you may need to run it as superuser. However, tcpdump will actually notify you of the need for elevated privileges.
Traffic on all interfaces
This command will give you all the traffic that goes in and out of all interfaces:
sudo tcpdump
The screen will display information about packages until you press Ctrl+C. Alternatively, you can use the ‘-c’ option to dump a certain number of packages (for example, tcpdump -c 10).
Let’s take a look at one of the packages above to understand what each field is:
11: 16: 20.681353: — packet timestamp;
System.44956: — the package was generated by the operating system and the source port;
192.168.6.114.ssh: — destination IP address and port (ssh means port 22);
Flags [S]: — any TCP flags;
seq 3135937357: — starting sequence number of the TCP packet;
win 64240: — TCP window;
length 0: — TCP packet length (in bytes) without headers.
Let’s see how we can use some filters to narrow down the traffic we want to check.
Specific interface
tcpdump -i enp3s0
It shows all traffic in and out of the “enp3s0” interface:
tcpdump host 8.8.8.8
tcpdump src host 8.8.8.8
tcpdump dst host 8.8.8.8
It shows all traffic associated with host 8.8.8.8, all traffic coming from 8.8.8.8, and all traffic that goes to 8.8.8.8.
Specific port
tcpdump port 22
tcpdump dst port 22
tcpdump src port 22
tcpdump portrange 22-30
Human readable format
tcpdump -A
It shows all packages in ASCII format. This way you can read the actual payload of the packages whenever possible.
Encrypted/unencrypted traffic
As an example, let’s use tcpdump to see what unencrypted HTTP and encrypted HTTPS traffic looks like at the packet level. Here are the steps on how to do it:
Login to Linux host with two different sessions
In one session, run the command:
tcpdump port 80 -A
In another session, run:
curl google.com
You will see that some of the output looks like this:
As you can see, the raw output of the unencrypted google.com page can be displayed clearly. Consequently, the content of any unencrypted message can be intercepted.
Let’s see what encrypted communication looks like. Let’s do the following:
Login to Linux host with two different sessions
In one session, run the command:
tcpdump port 443 -A
In another session, run the command:
curl https://google.com
The output is filled with packages that look like this:
This is unreadable encrypted content for HTTPS communication.
More detailed tspdump description on the project page TCPDUMP