Skip to main content
HashnodeHong's Tech Blog

Command Palette

Search for a command to run...

Cheatsheet & Examples: tcpdump

Updated
4 min read
H
Hong

I am a developer from Malaysia. I work with PHP most of the time, recently I fell in love with Go. When I am not working, I will be ballroom dancing :-)

Part of seriesCommon Tasks

tcpdump is a powerful command-line packet analyzer used to capture network traffic passing through a network interface. It allows you to monitor and diagnose network issues by displaying the contents of network packets.

Capturing all traffic on an interface

Example Usage: tcpdump -i eth0

What it does: Captures all network traffic on the specified interface (eth0 in this case) and displays it to the console.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on. eth0 is a common Ethernet interface. If no interface is specified, tcpdump will default to the first available interface, or use all interfaces if the -A option is also given.

Capturing traffic and saving it to a file

Example Usage: tcpdump -i eth0 -w capture.pcap

What it does: Captures all network traffic on the specified interface and saves it to a file named capture.pcap in a format that can be later analyzed by tools like Wireshark.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • -w capture.pcap: Writes the raw packet data to the specified file (capture.pcap). The file will be in a format suitable for analysis by other packet analysis tools.

Filtering traffic by host

Example Usage: tcpdump -i eth0 host 192.168.1.100

What it does: Captures only packets to or from the specified host IP address (192.168.1.100).

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • host 192.168.1.100: Filters the traffic to show packets where either the source or destination IP address is 192.168.1.100.

Filtering traffic by port

Example Usage: tcpdump -i eth0 port 80

What it does: Captures only packets that are using port 80 (HTTP).

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • port 80: Filters traffic to include only packets using TCP or UDP port 80.

Filtering traffic by protocol

Example Usage: tcpdump -i eth0 tcp

What it does: Captures only TCP traffic.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • tcp: Filters traffic to include only TCP packets. Other options are udp, icmp, arp, etc.

Combining filters

Example Usage: tcpdump -i eth0 tcp and port 80 and host 192.168.1.100

What it does: Captures only TCP traffic that is using port 80 and is to or from the host 192.168.1.100.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • tcp: Filters for TCP traffic.
  • port 80: Filters for traffic using port 80.
  • host 192.168.1.100: Filters for traffic to or from the specified host.
  • and: The boolean AND operator, used to combine multiple filter criteria. Can also use or and not.

Limiting the number of packets captured

Example Usage: tcpdump -i eth0 -c 10

What it does: Captures only the first 10 packets and then exits.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • -c 10: Specifies the number of packets to capture.

Viewing packet content in ASCII

Example Usage: tcpdump -i eth0 -A

What it does: Displays the contents of each packet in ASCII, which is useful for viewing the text-based data within HTTP requests or other text-based protocols.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • -A: Prints each packet's content in ASCII.

Displaying less verbose output

Example Usage: tcpdump -i eth0 -n

What it does: Prevents hostnames from being resolved to IP addresses (and services to port numbers). This can speed up the output and avoid DNS lookups.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • -n: Do not resolve hostnames to IP addresses.

Saving to a pcap file with a specific snaplen (capture length)

Example Usage: tcpdump -i eth0 -s 1500 -w capture.pcap

What it does: Captures packets to the file, but truncates the packets to the specified length. Useful for controlling file size.

Command-line Arguments Explained:

  • -i eth0: Specifies the network interface to listen on.
  • -s 1500: Sets the snapshot length to 1500 bytes. This determines how much of each packet is captured. A value of 0 indicates that the entire packet is captured, while a smaller value will truncate the packets.
  • -w capture.pcap: Writes the raw packet data to the specified file (capture.pcap).
#cheatsheet#cli#tcpdump
2 views

Comments

Join the discussion

No comments yet. Be the first to comment.

Common Tasks

Part 4 of 50

Quick reference for performing common tasks in Linux/Mac OS.

Up next

Cheatsheet & Examples: nmap

nmap is a powerful network scanning tool used to discover hosts and services on a computer network by sending packets and analyzing the responses. It's widely used for network inventory, managing service upgrade schedules, and monitoring host or serv...

More from this blog

Hong's Tech Blog

110 posts

The blog is older than you know. I prefer counting from the emergence of one integral anomaly to the emergence of the next, in which case this is the forth version.