tcpdump

List available network interfaces

$ tcpdump [[-D|--list-interfaces]]

$ sudo tcpdump [[-i|--interface]] [eth0]

$ tcpdump -A tcp

$ tcpdump host [www.example.com]

$ sudo tcpdump [[-i|--interface]} [eth0] src [192.168.1.1] and dst [192.168.1.2] and dst port [80]

$ tcpdump net [192.168.1.0/24]

$ tcpdump -w [dumpfile.pcap] port not [22]

$ tcpdump -r [dumpfile.pcap]

tcpdump [ -AdDefhHnNOpqRStuvVwWxxXyYzZ ] [ -B size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -i interface ] [ -j tstamp_type ] [ -k tstamp_precision ] [ -l ] [ -M secret ] [ --number ] [ -Q direction ] [ -r file ] [ -s snaplen ] [ -T type ] [ --time-stamp-precision=tstamp_precision ] [ -U ] [ --immediate-mode ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ expression ]

-A
    Print each packet (minus its link level header) in ASCII.

-b
    Suppress printing the domain name system (DNS) Server Message Block (SMB) and Network Basic Input/Output System (NetBIOS) names.

-c count
    Exit after receiving count packets.

-d
    Dump the compiled packet-matching code in a human readable form to standard output.

-dd
    Dump packet-matching code as a C program fragment.

-ddd
    Dump packet-matching code as decimal numbers (preceded with a count).

-D
    List the network interfaces available for capturing packets.

-e
    Print the link-layer header on each dump line.

-f
    Print 'foreign' internet addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's yp server - usually this means that it is trying to interpret non-internet addresses as internet addresses).

The test for "foreign" internet addresses is done using the internet address number of the network interface on which tcpdump is doing its capturing. If the address is fetched incorrectly (as happens occasionally on Sun boxes due to nis server problems) or if the interface has no address at all (as occasionally happens on SLIP interfaces), this option will not work correctly.

-F file
    Use file as input for the filter expression.

-i interface
    Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest interface in the list.

-n
    Don't convert host addresses to names.

-w file
    Write the raw packets to file rather than parsing and printing them out. Later they can be printed with the -r option.

expression
    Selects which packets will be dumped. If expression is not given, all packets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) preceded by one or more qualifiers.

tcpdump is a powerful command-line packet analyzer. It allows you to intercept and display TCP/IP and other network traffic passing or arriving on a network to which the computer is attached. It can filter traffic based on various criteria like source/destination IP addresses, ports, protocols, and packet content. This tool is invaluable for network troubleshooting, security analysis, protocol development, and debugging network applications.

tcpdump captures packets by utilizing the libpcap library, which provides a platform-independent API for capturing network traffic. It can be used to save captured packets to a file for later analysis or to display them in real-time. The output can be verbose, providing detailed information about each packet, including headers, flags, and data payloads. Filtering allows the user to focus only on the traffic relevant to their analysis, avoiding overwhelming the output with irrelevant packets.

Understanding network protocols and packet structures is crucial to effectively use tcpdump.

Requires root privileges to capture packets on most systems.

Capturing all traffic can generate large amounts of data, impacting system performance.

The expression argument is key to using tcpdump effectively. It employs a Berkeley Packet Filter (BPF) syntax to precisely define the types of packets you want to capture. This syntax allows the user to filter traffic based on source/destination IP addresses, protocols, ports, and other criteria, which is extremely important for analyzing network traffic.

The -w option lets you save the captured packets to a file. This file can later be analyzed using tcpdump or other tools like Wireshark. This feature is important when you want to perform offline analysis or archive network traffic for later review.

The --time-stamp-precision option controls the timestamp resolution of packets. Increasing the precision can be useful for more accurate measurements, particularly in high-speed networks. The options available are 'nano' and 'micro'.

tcpdump was originally developed in the late 1980s by Van Jacobson, Craig Leres, and Steven McCanne at the Lawrence Berkeley Laboratory (LBL). It has since become a standard tool for network analysis and is widely used in various operating systems. The tool leverages the libpcap library for packet capture and BPF (Berkeley Packet Filter) for efficient packet filtering. Over the years, numerous contributors have enhanced tcpdump, adding support for new protocols, improving performance, and fixing security vulnerabilities. It maintains a prominent presence in network security, monitoring, and debugging workflows.

pcap(3), wireshark(1)