Tcpdump command tutorial for network packet capture.


While working with the network protocols, it is also essential to have a tool to capture the network packets on the wire. Tcpdump is a command-line tool on Linux for capturing network packets on the Ethernet interfaces.

The command captures packets from the data link layer level. A computer may have multiple network interfaces, which you can capture on a single or all interfaces.

Other than this, the command is very rich in the number of capturing filters. Enables a capture to be very specific for a network flow. E.g., if one has to capture packets for a particular option, it has the option.

The captured output can be viewed on the console or saved as a Pcap file. Wireshark is a graphical user interface (GUI) application that reads and analyzes PCAP files. Internally, tcpdump uses the libpcap library to convert the raw byte stream to pcap format.

Tcpdump in Linux:

Linux is a prevalent operating system for applications involving network communication. It implements system-level APIs to facilitate faster access. Tcpdump is a potent tool for capturing and analyzing network packets.

The command-line tool is available almost on all flavors of Linux. The tcpdump on  Linux can capture or filter traffic for TCP/IP, SCTP, HTTP, and many other protocols.

How to install it on Linux?

To begin using a command, it must first be installed on the system. In this section, we’ll look at examples involving multiple types of Linux machines. The following commands are used to install the tcpdump command.

On CentOS or RHEL

#yum install tcpdump

On Ubuntu,

#apt-get install tcpdump

The above commands search for the mirror for the tcpdump package and install the rpm on the machine.

Tcpdump examples:

The command provides multiple options for capturing the network packets. The options can also be used as filters. Based on options or filters, there can be many possible tcpdump examples. Here we are listing only a few examples.

On a specific port capture example:

A port number is an integer value. An application in IP networks uses a specific port for communication. When capturing a particular port is required, tcpdump can specify the port number. Following is an example.

#tcpdump - i any port 5060

The above command is an example where the command captures packets having port 5060 over the Ethernet interfaces.

For Windows, the equivalent of tcpdump is the WinDump.  This can be downloaded from wincap download.

For a protocol capture example: 

An IP network provides connectivity between the IP hosts. A host may run an application that uses a transport protocol. Web-based applications use TCP protocol which runs over port 80. Sigtran, the ss7 signaling over IP, uses the SCTP protocol.   Tcpdump provides a filter for a transport layer protocol. Following is a tcpdump example for a type of protocol capturing.

Example for capturing SCTP protocol messages.

#tcpdump -i any sctp

For capturing  TCP examples,

#tcpdump -i any tcp

For capturing  UDP example,

#tcpdump -i any udp

Capture a fixed number of packets:

When we start capturing packets, by default, tcpdump keeps capturing packets continuously. Until you do control + C, it may consume all disk space. In turn, the Linux machine will stop responding to a process. There is an option for capturing a fixed number of packets in a pcap file. Suppose you are performing a test with a rigorous filter and know that 1000 packets will be sufficient for the test. Following is the command.

#tcpdump -c 1000 -i any

For a non-Ethernet interface capture:

Linux machine has non-Ethernet interfaces as well. Sometimes requires a capture on these interfaces. Suppose the Linux box is connected to the outer world via IPSEC. The received packet capture in Wireshark will show encrypted packets. Decrypting a packet requires authentication information.   Nflog interface capture can be used for clear packets. Following lists all interfaces.

#tcpdump -D
1.virbr0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.eth12
6.eth13
7.any (Pseudo-device that captures on all interfaces)
8.lo

For an Ethernet interface capture example:

A machine in an IP network may have multiple interfaces. On Linux 'ifconfig -a', displays all the interfaces with the name. Tcpdump has the option to capture network packets on a specific interface. This reduces the size of the captured pcap file and only captures packets on key requirements.

#tcpdump -i eth0

For capturing all network interfaces,

#tcpdump -i any

Tcpdump and Wireshark:

After capturing a dump in a file, the next step is to analyze the captures. Wireshark is the GUI-based tool to read the pcap file generated by the tcpdump command. Wireshark decodes the message and each parameter in it. For each decoding, it uses dissectors developed for decoding.

Libpcap and Tcpdump :

When it comes to capturing packets, there needs to be an open device and read on the device file descriptor. Libpcap provides APIs to access a device and reads the data over the device. Libpcap is available on Linux. Tcpdump uses this library. The equivalent of libpcap on Windows OS is WinPcap.

One can download the library from the tcpdump site. A user can develop its capturing program by using APIs. This reduces lots of time and work. The capturing and saving to file one example over libpcap. There can be other applications, like alerting patterns.