tcpdump Command Cheatsheet

The Linux tcpdump command is a powerful network packet analyzer used for monitoring and troubleshooting network traffic. It allows users to capture and display packets traveling through a network interface, providing valuable insights into network activity. It’s a widely used tool for network diagnostics, security analysis, and traffic analysis.

Key Usage and Syntax of the `tcpdump` Command #

The tcpdump command follows a basic syntax structure:

tcpdump [OPTIONS] [EXPRESSION]

OPTIONS modify the behavior of tcpdump, such as -i to specify the interface or -w to write output to a file.
EXPRESSION filters the captured packets based on criteria like source/destination IP, port, or protocol. If omitted, it captures all packets.

`tcpdump` Command Cheatsheet Table #

Command	Description
`tcpdump -i eth0`	Capture packets on the eth0 network interface
`tcpdump -i eth0 port 80`	Capture HTTP traffic (port 80) on the eth0 interface
`tcpdump -w capture.pcap`	Write captured packets to a file (capture.pcap)
`tcpdump -r capture.pcap`	Read and display packets from a previously captured file
`tcpdump -n`	Display IP addresses and ports without resolving hostnames or service names
`tcpdump -c 100`	Capture only 100 packets and then stop
`tcpdump -v`	Provide verbose output, showing more packet details
`tcpdump -X`	Display packet contents in both hexadecimal and ASCII

The `tcpdump` Command Options #

-i: Specify Interface #

To capture packets on a specific network interface, use the -i option followed by the interface name (e.g., eth0, wlan0):

tcpdump -i eth0

This command captures all packets on the eth0 interface.

-w: Write Output to File #

To save captured packets to a file for later analysis, use the -w option:

tcpdump -w capture.pcap

This writes all captured packets to a file named capture.pcap.

-r: Read Packets from File #

To read packets from a previously captured file, use the -r option:

tcpdump -r capture.pcap

This command reads and displays the packets stored in the capture.pcap file.

-n: Show Numeric Output #

The -n option prevents tcpdump from performing DNS resolution for IP addresses and service names, displaying raw addresses instead:

tcpdump -n

This is useful when you want to see the raw IP addresses and ports without resolving them to hostnames.

-c: Capture a Specific Number of Packets #

To capture only a specific number of packets and then stop, use the -c option:

tcpdump -c 100

This captures only 100 packets, after which it will automatically stop capturing.

-v: Verbose Output #

The -v option provides more detailed packet information, including additional fields like TTL, window size, and options:

tcpdump -v

This is helpful when you need more detailed information about each packet.

-X: Show Hex and ASCII Output #

The -X option displays the contents of each packet in both hexadecimal and ASCII formats:

tcpdump -X

This can be useful for examining the exact data within each packet.

Examples of Using the `tcpdump` Command #

Capture Packets on a Specific Interface #

To capture all packets on the eth0 interface:

tcpdump -i eth0

This command captures and displays all network traffic passing through eth0.

Capture HTTP Traffic (Port 80) #

To capture HTTP packets (typically on port 80) on the eth0 interface:

tcpdump -i eth0 port 80

This filters the traffic to only show packets that are destined for or coming from port 80, which is commonly used for HTTP traffic.

Capture and Save Traffic to a File #

To save all captured traffic into a .pcap file for later analysis:

tcpdump -w capture.pcap

This creates a file capture.pcap containing the captured packets.

Read Captured Packets from a File #

To read and analyze previously captured packets from the capture.pcap file:

tcpdump -r capture.pcap

This command opens the file and displays the captured packets.

Verbose Output for Detailed Packet Information #

To see more details about each captured packet, use the -v option:

tcpdump -v

This will display additional information, such as the TTL, window size, and more.

Capture Traffic for a Specific Duration #

To capture traffic for a specific duration or number of packets, you can limit the capture using the -c option:

tcpdump -i eth0 -c 50

This command captures 50 packets on the eth0 interface and then stops automatically.

Capture and Display Hexadecimal and ASCII Data #

To view the contents of packets in both hexadecimal and ASCII formats:

tcpdump -X

This will display both the hexadecimal representation and the ASCII equivalent of each packet’s data.

Using `tcpdump` for Network Troubleshooting #

The tcpdump command is particularly useful for diagnosing network issues. Here are some practical examples:

Identifying Packet Loss or Latency Issues #

By capturing and analyzing network packets, you can detect packet loss or latency issues. For example, you might capture ICMP packets to observe round-trip times:

tcpdump -i eth0 icmp

This filters for ICMP packets, which are commonly used for troubleshooting network connectivity (e.g., ping).

Analyzing Traffic Between Two Hosts #

To capture traffic between two specific hosts, you can use the host filter:

tcpdump -i eth0 host 192.168.1.10

This captures all traffic involving 192.168.1.10 on the eth0 interface.

Monitoring DNS Requests #

To capture DNS queries, filter for UDP traffic on port 53:

tcpdump -i eth0 port 53

This command captures DNS queries and responses on the eth0 interface.

Summary #

In summary, the Linux tcpdump command is a highly versatile and powerful tool for network analysis and troubleshooting. Its ability to capture and filter network packets makes it indispensable for administrators and security professionals. Whether you’re capturing all traffic on an interface, analyzing specific protocols or ports, or saving data for later inspection, tcpdump provides a robust and flexible solution for working with network traffic.

Using tcpdump effectively allows you to diagnose issues, optimize network configurations, and improve security by monitoring network behavior in real-time.