Knowledge Base

Browse our knowledge base for free solutions to common problems

Monitoring Network Traffic With TCPDump In Linux

Created On: 31 May 2023
Written by: Ben

Introduction

TCPdump is a command-line packet sniffing tool used for network troubleshooting and analysis. It allows you to capture and examine network traffic in real-time on a computer network. TCPdump is available on most Unix-like operating systems, including Linux and macOS.

With TCPdump, you can capture packets on a specific network interface, filter packets based on various criteria, and save the captured data to a file for later analysis. It provides a wealth of information about network traffic, including source and destination IP addresses, ports, protocol types, packet timestamps, and packet contents.

TCPdump uses a syntax known as Berkeley Packet Filter (BPF) to specify the capture filter. This filter allows you to define rules to capture specific types of network packets, such as those involving a particular IP address, port, or protocol.

TCPdump is a powerful tool for network administrators and security professionals to diagnose network issues, analyze network behavior, and investigate network security incidents. It can help identify network performance problems, detect unauthorized network activity, and troubleshoot network connectivity issues.

It's worth noting that TCPdump is a command-line tool, and its output can be quite technical and verbose. Therefore, it's often used in conjunction with other tools and utilities to interpret and analyze the captured data effectively.

Example TCPDump Commands

Capture packets on a specific interface

tcpdump -i eth0
tcpdump -i eth0

This command captures packets on the "eth0" interface and displays them in real-time.

Capture packets and save them to a file

tcpdump -i eth0 -w capture.pcap

This command captures packets on the "eth0" interface and saves them to a file named "capture.pcap" for later analysis with other tools like Wireshark.

Display captured packets in ASCII format

tcpdump -r capture.pcap

This command reads and displays packets from the "capture.pcap" file in ASCII format.

Capture packets based on a specific host

tcpdump host 192.168.0.1

This command captures packets involving the IP address 192.168.0.1, both as the source or destination.

Capture packets based on a specific port

tcpdump port 80

Capture only TCP traffic on a specific port

tcpdump tcp port 80

Capture only UDP traffic on a specific port

tcpdump udp port 53

Capture traffic between two specific IP addresses

tcpdump host 192.168.0.10 and 192.168.0.20

Capture traffic with a specific source or destination IP address

tcpdump src 192.168.0.10
tcpdump dst 192.168.0.20

Capture traffic using a specific protocol

tcpdump icmp
tcpdump arp

ICTU LTD is a company registered England and Wales (Company No. 09344913) 15 Queen Square, Leeds, West Yorkshire, England, LS2 8AJ
Copyright © 2024 ICTU LTD, All Rights Reserved.
exit