TCPdump is a command-line packet sniffing tool used for network troubleshooting and analysis. It allows you to capture and examine network traffic in real-time on a computer network. TCPdump is available on most Unix-like operating systems, including Linux and macOS.
With TCPdump, you can capture packets on a specific network interface, filter packets based on various criteria, and save the captured data to a file for later analysis. It provides a wealth of information about network traffic, including source and destination IP addresses, ports, protocol types, packet timestamps, and packet contents.
TCPdump uses a syntax known as Berkeley Packet Filter (BPF) to specify the capture filter. This filter allows you to define rules to capture specific types of network packets, such as those involving a particular IP address, port, or protocol.
TCPdump is a powerful tool for network administrators and security professionals to diagnose network issues, analyze network behavior, and investigate network security incidents. It can help identify network performance problems, detect unauthorized network activity, and troubleshoot network connectivity issues.
It's worth noting that TCPdump is a command-line tool, and its output can be quite technical and verbose. Therefore, it's often used in conjunction with other tools and utilities to interpret and analyze the captured data effectively.
Capture packets on a specific interface
tcpdump -i eth0
tcpdump -i eth0
This command captures packets on the "eth0" interface and displays them in real-time.
Capture packets and save them to a file
tcpdump -i eth0 -w capture.pcap
This command captures packets on the "eth0" interface and saves them to a file named "capture.pcap" for later analysis with other tools like Wireshark.
Display captured packets in ASCII format
tcpdump -r capture.pcap
This command reads and displays packets from the "capture.pcap" file in ASCII format.
Capture packets based on a specific host
tcpdump host 192.168.0.1
This command captures packets involving the IP address 192.168.0.1, both as the source or destination.
Capture packets based on a specific port
tcpdump port 80
Capture only TCP traffic on a specific port
tcpdump tcp port 80
Capture only UDP traffic on a specific port
tcpdump udp port 53
Capture traffic between two specific IP addresses
tcpdump host 192.168.0.10 and 192.168.0.20
Capture traffic with a specific source or destination IP address
tcpdump src 192.168.0.10
tcpdump dst 192.168.0.20
Capture traffic using a specific protocol
tcpdump icmp
tcpdump arp