Tcpdump command tutorial for network packet capture.
While working with the network protocols, it is also essential to have a tool to capture the network packets on the wire. Tcpdump is a command-line tool on Linux for capturing network packets on the Ethernet interfaces.
The command captures packets from the data link layer level. A computer may have multiple network interfaces, which you can capture on single or all interfaces.
Other than this, the command is very rich in the number of capturing filters. Enables a capture to be very specific for a network flow. E.g., if one has to capture packets for a particular option, it has the option.
The captured output can be viewed on the console or saved as a pcap file. Wireshark is a graphical user interface (GUI) application that reads and analyzes PCAP files. Internally, tcpdump makes use of the libpcap library to convert the raw byte stream to pcap format.
Tcpdump in Linux:
Linux is a very popular operating system for applications involving network communication. It implements system-level APIs to facilitate faster access. Tcpdump is a very powerful tool for capturing and analyzing network packets.
The command-line tool is available almost on all flavors of Linux. The tcpdump on Linux can be used to capture or filter traffic for TCP/IP, SCTP, HTTP, and many other protocols.
How to install it on Linux?
To begin using a command, it must first be installed on the system. In this section, we’ll look at examples involving multiple types of Linux machines. The following commands are used to install the tcpdump command.
On CentOS or RHEL
#yum install tcpdump
#apt-get install tcpdump
The above commands search for the mirror for the tcpdump package and install the rpm on the machine.
Command provides multiple options for capturing the network packets. The options can also be used as filters. Based on options or filters, there can be many possible tcpdump examples. Here we are listing only a few examples.
On a specific port capture example:
A port number is an integer value. An application in IP networks uses a specific port for communication. In the situation where capturing a specific port is required, tcpdump has an option for specifying the port number. Following is an example.
#tcpdump - i any port 5060
The above command is an example, where the command captures packets having port 5060 over the Ethernet interfaces.
For windows, the equivalent of tcpdump is the WinDump. This can be downloaded from wincap download.
For a protocol capture example:
An IP network provides connectivity between the IP hosts. A host may run an application, which uses a transport protocol. Web-based applications use TCP protocol which runs over port 80. Sigtran, which is the ss7 signaling over IP, uses the SCTP protocol. Tcpdump provides a filter for a transport layer protocol. Following is a tcpdump example for a type of protocol capturing.
Example for capturing SCTP protocol messages.
#tcpdump -i any sctp
For capturing TCP examples,
#tcpdump -i any tcp
For capturing UDP example,
#tcpdump -i any udp
Capture a fixed number of packets:
When we start capturing packets, by default tcpdump keeps capturing packets continuously. Until you do control + C. It may lead to consuming all disk space, in turn, the Linux machine will stop responding to a process. There is an option for capturing a fixed number of packets in a pcap file. Suppose you are performing a test with a very strict filter and know that 1000 packets will be sufficient for the test. Following is the command.
#tcpdump -c 1000 -i any
For a non-Ethernet interface capture:
Linux machine has non-Ethernet interfaces as well. Sometimes requires a capture on these interfaces. If the Linux box is connected to the outer world via IPSEC. The received packet capture in Wireshark will show encrypted packets. Decrypting a packet requires authentication information. Nflog interface capture can be used for clear packets. Following lists all interfaces.
#tcpdump -D 1.virbr0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.usbmon1 (USB bus number 1) 5.eth12 6.eth13 7.any (Pseudo-device that captures on all interfaces) 8.lo
For an Ethernet interface capture example:
A machine in an IP network may have multiple interfaces. On Linux ‘ifconfig -a’, displays all the interfaces with the name. Tcpdump has the option to capture network packets on a specific interface. This reduces the size of the captured pcap file and only captures packets on key requirements.
#tcpdump -i eth0
For capturing over all interfaces,
#tcpdump -i any
Tcpdump and Wireshark:
After capturing a dump in a file. The next step is to analyze the captures. Wireshark is the GUI-based tool to read the pcap file generated by the tcpdump command. Wireshark decodes the message and each parameter in it. For each decoding, it uses dissectors, developed for decoding.
Libpcap and Tcpdump :
When it comes to the capturing of packets. There needs to be an open device and read on the device file descriptor. Libpcap provides APIs to access a device and reads the data over the device. Libpcap is available on Linux. Tcpdump uses this library. The equivalent of libpcap on Windows OS is WinPcap.
One can download the library from the tcpdump site. A user can develop its own capturing program by using APIs. This reduces lots of time and work. The capturing and saving to file one example over libpcap. There can be other applications, like alerting patterns.