Ten Useful Tcpdump Commands

Understand tcp/ip stack is essencial for analysing network traffic, and troubleshoot connection problems. Also, looking at network traffic is important when understanding how a particular network application is behaving behind the scenes. For example, in the browser you could only capture ‘POST’ methods or ‘GET’ method with tcpdump and grep. You could also troubleshoot a connection problem when trying to connect to your SSH server. Anyway, I put together ten tcpdump commands that I find myself using frequently.

1- listing interfaces

$ sudo tcpdump -D
[sudo] password for jorge: 
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.any (Pseudo-device that captures on all interfaces)
5.lo

2- capture all packets and don’t resolve to hostname, use ip ‘-n’

$ sudo tcpdump -v -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:09:59.879626 IP (tos 0x0, ttl 4, id 9069, offset 0, flags [none], proto UDP (17), length 367)
    192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 339
15:09:59.880092 IP (tos 0x0, ttl 4, id 9070, offset 0, flags [none], proto UDP (17), lengt

3- capturing packets on a especific interface

$ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:12:17.885243 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 339
15:12:17.885658 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 329
15:12:17.885660 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 274
15:12:17.885746 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 327

4- capturing the first 5 packets with -c option

$ sudo tcpdump -c 5 -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:15:44.895109 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 339
15:15:44.895557 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 329
15:15:44.895562 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 274
15:15:44.895611 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 327
15:15:44.895765 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 329
5 packets captured
27 packets received by filter
0 packets dropped by kernel

5- capturing only traffic on port 22

$ tcpdump -i wlan0 port 22

6- capturing dns traffic

$ sudo tcpdump -n 'udp and dst port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:19:32.317852 IP 192.168.1.100.52673 > 65.106.7.196.53: 49964+ A? pctechtips.org. (32)
15:19:49.768207 IP 192.168.1.100.21895 > 65.106.1.196.53: 61955+ A? pctechtips.org. (32)
15:19:49.768220 IP 192.168.1.100.21895 > 65.106.7.196.53: 61955+ A? pctechtips.org. (32)
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel

7- capturing ftp traffic between two host

sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'

8- Using tcpdump and grep to display ‘POST’ and ‘GET’ request from the browser. Using -A to display in ASCII (plain text)

$ sudo tcpdump -n -A | grep -e 'POST'
[sudo] password for enlightened: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E...=.@.@......e@.H..'.P(.o%~...P.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E...c_@.@..=...e@.H..*.PfC<....wP.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E.....@.@......e@.H...."g;.(.-,WP.9.Nj..POST /login/?login_only=1 HTTP/1.1

9- Using tcpdump and grep to capture username and password from different protocols: http, ftp, smtp, pop3

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

10- Writing to a file

tcpdump -w file.pcap -i wlan0

and reading from a file

tcpdump -r file.pcap
Share This!

One thought on “Ten Useful Tcpdump Commands

  1. miatech Post author

    good tcpdump examples. I like 8 and 9, so I can pipe tcpdump into other commands and extract specific information. nice!

Leave a Reply

Your email address will not be published.