Tcpdump is a powerful network debugging tool which can be used for intercepting and displaying packets on a network interface. Moreover, only interested packets can be displayed by using its filtering feature.
You can download source code from here and compile it on your Linux machine. However, it will be easier for us to use an advanced package manager tool such as apt-get for the installation:
apt-get install tcpdump
tcpdump [options] [filter expression]
In the following example we will listen all connection which uses udp:
Now, we’ll learn how to capture packages for a specific port:
tcpdump port 80
We are listening all package (incoming/outgoing packages) which use port 80; so in this case port 80 is both source and destination port.
Now, let’s be more specific and only capture packages with destination port 80.
tcpdump dst port 80
Easy, right? Suppose you are administer a web server, then you can use that command to see incoming packages.
Now let’s capture packets for only specific hosts.
tcpdump src host 22.214.171.124
Here, we catch packages which come from the IP 126.96.36.199
You may wonder if tcpdump can take logical arguments such as ‘and’, ‘or’. The answer is YES. We can use logical statements in a tcpdump command. For example, we would like to catch all the ssh packets going to 188.8.131.52:
tcpdump “src port 22” and “src host 184.108.40.206”
Sometimes, we need to save packages into a fie. We can use -w option for this purpose:
tcpdump host 220.127.116.11 -w /home/users/demo/demo.dump
Let’s read the saved file:
Tcpdump is one of the most powerful packet sniffer which helps system administrator to solve network problems. It can be used with Boolean expression to capture only interested packages.