Linux‎ > ‎

tcpdump examples

Thank you for visiting this page, this page has been update in another link Tcpdump examples
tcpdump - dump traffic on a network
       Tcpdump  prints out a description of the contents of packets on a network interface that match the boolean expression.  It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which  causes  it to  read from a saved packet file rather than to read packets from a network interface.  In all cases, only packets that match expression will be processed by tcpdump

 #tcpdump -h
tcpdump version 4.1-PRE-CVS_2012_03_26
libpcap version 1.0.0
Usage: tcpdump [-aAdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -M secret ] [ -r file ]
        [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
        [ -y datalinktype ] [ -z command ] [ -Z user ]
        [ expression ]

Whent the first time I tried tcpdump, I got confused, how to use 'expression' properly?  Here is the hint
              selects which packets will be dumped.  If no expression is given, all packets on the net will be dumped.  Otherwise, only packets for which expression is ‘true’ will be dumped.

              For the expression syntax, see pcap-filter(7).

              Expression arguments can be passed to tcpdump as either a single argument or as multiple arguments, whichever  is  more  convenient.  Generally, if the expression contains Shell metacharacters, it is easier to pass it as a single, quoted argument.  Multiple arguments are concatenated with spaces before being parsed.
Here is the man page of pcap-filter

Well, learn another tool for tcpdump? probably yes, if you want to use in advanced mode. But, to get started, let's try this simpler way
Syntax:      Protocol  Direction  Host(s)  Value  Logical  Operations   Other expression
tcp dst 80 and tcp dst 3128

Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.

Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host" is equivalent to "src or dst host".

Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src" is equivalent to "src host".

Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".

Here are some examples:

To display the Standard TCPdump output: -c is to only show specified number of packets.

# tcpdump -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:25:22.343207 IP > aaa.bbb.ccc.47596: Flags [P.], seq 452683986:452684178, ack 2662406039, win 21, length 192

To display the verbose output, use -v

Network interfaces available for the capture:
# tcpdump -v -D  
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.usbmon4 (USB bus number 4)
6.usbmon5 (USB bus number 5)
7.usbmon6 (USB bus number 6)
8.usbmon7 (USB bus number 7)
9.any (Pseudo-device that captures on all interfaces)

Three often used parameters

       -i     Listen  on interface.  If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback).  Ties are broken by choosing the earliest match.
       -q     Quick (quiet?) output.  Print less protocol information so output lines are shorter.
       -n     Don't convert host addresses to names.  This can be used to avoid DNS lookups.

Capture the traffic of a particular interface:
to display all traffic coming from a host
#tcpdump -i eth0 src  and port 8080
or to display all traffic to a host
tcpdump -i eth0 dst and port 8080
or to display all traffic between you host to another host
tcpdump -i eth0

Network filtering :
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering :

# tcpdump -i eth1 arp
# tcpdump -i eth1 ip

# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Combined expressions :
Negation    : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate   : || or "or"

- This rule will match any TCP traffic on port 80 (web) with or as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host or (dst host'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host'

-w option is good to save dump for later analysis, or use other tools.

For more advanced use case, I found this one is good.