Tcpdump

Introduction

Tcpdump is a powerful network debugging tool which can be used for intercepting and displaying packets on a network interface. Moreover, only interested packets can be displayed by using its filtering feature.

Installation

You can download source code from here and compile it on your Linux machine.  However, it will be easier for us to use an advanced package manager tool such as apt-get for the installation:

apt-get install tcpdump

Usage

tcpdump [options] [filter expression]

In the following example we will listen all connection which uses udp:

tcpdump udp

Now, we’ll learn how to capture packages for a specific port:

tcpdump port 80

We are listening all package (incoming/outgoing packages) which use port 80; so in this case port 80 is both source and destination port.

Now, let’s be more specific and only capture packages with destination port 80.

tcpdump dst port 80

Easy, right? Suppose you are administer a web server, then you can use that command to see incoming packages.

Now let’s capture packets for only specific hosts.

tcpdump src host 1.2.3.4

Here, we catch packages which come from the IP 1.2.3.4

You may wonder if tcpdump can take logical arguments¬† such as ‘and’, ‘or’. The answer is YES. We can use logical statements in a tcpdump command. For example, we would like to catch all the ssh packets going to 1.2.3.4:

tcpdump “src port 22” and “src host 1.2.3.4”

Sometimes, we need to save packages into a fie. We can use -w option for this purpose:

tcpdump host 1.2.3.4 -w /home/users/demo/demo.dump

Let’s read the saved file:

tcpdump /home/users/demo/demo.dump

Summary

Tcpdump is one of the most powerful packet sniffer which helps system administrator to solve network problems. It can be used with Boolean expression to capture only interested packages.

One thought on “Tcpdump

  1. Pingback: Information Security Blog » Introduction to Linux Forensics (1)

Leave a Reply

Your email address will not be published. Required fields are marked *