Tcpdump cheat sheet – Learn how to take a packet capture on Linux.
In another post, we have explained the Tcpdump command and its various use cases. The Tcpdump cheat sheet is a quick and concise reference for taking captures with different options. The examples are short and easy to understand. Each command has a detailed example.
Capture Tcpdump for ICMP:
ICMP (Internet control message protocol ) is a standard protocol for network troubleshooting. Icmp uses IP protocol for delivering protocol data to the peer. In the IP network, every device can handle and generate ICMP events.
If someone wants to see the events on the wire, then there will need to capture the protocol packets. The tcpdump command has the option where you can specify the ICMP as a filter to the capture.
[root@CentOs]# tcpdump -i any icmp
In the above command, we have taken a capture from all the network interfaces of a Linux machine. You can specify only the desired interface. Next is how we can test if Tcpdump ICMP is working. There is a message called ECHO request and answer, which the ICMP provides.
From Windows (OS) cmd console, type the “ping ip_addres“. The IP address is the network address of the Linux machine on which the Tcpdump command is running.
You will see the following output on the terminal.
17:43:10.794761 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 813, length 40 17:43:10.794826 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 813, length 40 17:43:11.891571 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 814, length 40 17:43:11.891629 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 814, length 40 17:43:12.987568 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 815, length 40 17:43:12.987624 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 815, length 40 17:43:14.098963 IP 192.168.1.4 > CentOs7-181: ICMP echo request, id 1, seq 816, length 40 17:43:14.098987 IP CentOs7-181 > 192.168.1.4: ICMP echo reply, id 1, seq 816, length 40
ICMP has many messages, and ECHO is one of them. Maybe one wants to capture only the ECHO packet. This reduces the capture size and makes analyzing packets in Wireshark from a dump file easy. The following example shows how to capture the ECHO only.
[root@CentOs]# tcpdump -i any icmp[icmptype] == 8
Here 8 is the numeric value for the ECHO message type.
How to capture port-specific messages?
Example command captures network packets on a particular port. The following example captures the packets on port 5060
# tcpdump port 5060
The above captures a specific port. For multiple ports following is the command
# tcpdump port 5060 or port 5061 or port 5062
If multiple ports exist (e.g., 100), the above command is difficult to use. Especially when ports are in a range. Following is the command for capturing packets for a port range.
# tcpdump portrange 5060-5062 For destination port #tcpdump -iany dst port 5060 For source port #tcpdump -iany dst port 5060
Tcpdump IP filter:
For an IP address only. The IP can be either a source or a destination address.
#tcpdump host 192.168.1.80
For capturing multiple IP addresses.
#tcpdump host 192.168.1.80 or 192.168.1.81
Tcpdump command for capturing from an IP address.
# tcpdump -iany src host 192.168.2,100
For a destination IP filter.
#tcpdump -iany dst host 192.168.3.100
Above is an example of a single IP filter. There are situations when you need to capture a range of IP addresses. Here comes the filter for the sub-netmask. A subnet mask identifies the network id and reserves bits for the host id.
The example for the sub-netmask is 255.255.255.0. This says that 24 bits are for network id and renaming for host id. The following example captures where the source or destination IP has network id 192.168.3.
#tcpdump -any net 192.168.3.0/24 For source only
#tcpdump -n src net 192.168.3.0/24 For destination only
#tcpdump -n dst net 192.168.3.0/24
Capture the limited number of packets. For example, the number is N.
#tcpdump -c N
After N number of packets, Tcpdump will stop. This is useful when you want to capture a few initial packets.
Read packets bigger than from a fixed size (N):
# tcpdump greater N
The above commands capture packets greater than N number of bytes in size.