Network sniffer, inspect network traffic. Tcpdump is one of the most common command-line packet analyzers and can be found on most Unix and Linux operating systems. Tcpdump can capture files from the network, or read existing capture files.
Promiscuous Mode
Network interface will send all packets to CPU for processing and not discard packets that are not addressed to this interface.
💡 Tcpdump enables promiscuous mode by default. Capture on the any interface will not be done in promiscuous mode.
Disable promiscuous mode
tcpdump -p ...Capture/Display Filters
Capture filters and display filters have the same syntax.
tcpdump -i any [filters] [options...]| Description | Capture/Display Filter |
| Capture/display only ftp and ssh packets | port ftp or ssh |
| Capture/display traffic from or to port 53 | port 53 |
| Capture/display traffic from port 53 | src port 53 |
| Capture/display traffic to port 53 | dst port 53 |
| Filter on source IPs | src host x.x.x.x |
| Filter on destination IPs | dst host x.x.x.x |
| Specific tcpflags | ‘tcp[13] & 2 == 2’ ‘tcp[13] = 2 or tcp[13] = 16’ ‘tcp[tcpflags] & tcp-push != 0’ ‘tcp[tcpflags] & tcp-ack != 0 and tcp[tcpflags] & tcp-syn != 0’ Available flags: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg |
| Data packets (ACK&PSH) * | ‘tcp[13] = 24’ |
* All TCP packets sent and received after the initial 3-way handshake have the ACK flag set. PSH is used to enforce immediate delivery and is typical for application layer protocols to avoid buffering.
Capture traffic
❗ Local user permissions determine the ability to capture network traffic.
List all interfaces
tcpdump -DCapture traffic in pcap file
- -s 0 will set the capture byte to its maximum i.e. 65535, after this capture file will not truncate.
- -i eth0 is using to give Ethernet interface, which you to capture. Default is eth0, if you not use this option.
- -w mypcap.pcap will create that pcap file, which will be opened using wireshark.
sudo tcpdump -s 0 -i eth0 [filters] -w capture.pcap
[Ctrl+C]Read pcap file
💡 Format of IP address in output is x.x.x.x.port
tcpdump [filters] -r capture.pcapWithout DNS lookup (-n)
tcpdump -n [filters] -r capture.pcapExtract unique IP addresses
tcpdump -n -r capture.pcap | cut -d " " -f 3 | sort -u | headtcpdump -n -r capture.pcap | awk -F" " '{print $3}' | sort -u | headExtract & count unique IP addresses
tcpdump -n -r capture.pcap | cut -d " " -f 3 | sort | uniq -c | headtcpdump -n -r capture.pcap | awk -F" " '{print $3}' | sort | uniq -c | headPacket details, additional information, hex format
tcpdump -nX -r capture.pcapPrint each packet (minus its link level header) in ASCII
tcpdump -A -n -r capture.pcapHandy for capturing web pages, with ACK & PUSH TCP flags.
tcpdump -A -n 'tcp[13] = 24' -r capture.pcap