Using the Linux tcpdump command, you can analyze packets that have been sent within your network. Numerous filters and options allow you to optimize this analysis.
What is Linux tcpdump?¶
For analyzing your network traffic on Linux and potentially troubleshooting network issues, tcpdump is a particularly valuable tool. The command line program comes preinstalled on almost all common Linux distributions, such as Debian or Ubuntu, and relays information about data packets that have been sent or received on your network. Despite its name, Linux tcpdump is not only designed for TCP packets, but can also analyze UDP and ICMP packets. You must have administrator rights to use the command.
How does the tcpdump command work?¶
The analysis performed by tcpdump is also called sniffing. Using the tcpdump command, you specify the network interface that the program should control. In addition, numerous filters allow the process to be adapted and optimized. The order is executed in the command line where the corresponding results of the analysis are then also indicated.
What is the syntax of the tcpdump command?¶
The Linux tcpdump syntax is very simple and looks like this:
$ tcpdump [Options] [Filtre]
bash
Although it is not required to specify options to ensure that the tcpdump command considers the correct network interface, it is recommended. Filters are also optional. However, if no filter is mentioned, Linux tcpdump analyzes all packets from all hosts; which can quickly become confusing.
What are the options and filters of the tcpdump command?¶
tcpdump has many filters and options. Here are the main options:
- -HAS : this option allows you to present the contents of a packet in ASCII code.
- -vs [Nombre] : tcpdump is automatically stopped when a defined number of packets have been analyzed.
- -D : With this option, all available interfaces are listed.
- -i [Interface] : With this option you determine which interface should be registered.
- -s [Nombre] : This option determines how many bytes per packet should be recorded.
These filters can be used for tcpdump:
- dst : only packets whose target displays the predefined value are analyzed. These values can be: host, net, port or portrange.
- host : This filter ensures that only packets that present a specific IP address or a specific host name as source or target are considered.
- net : This filter only considers packets that present an IP address of a specific network domain as source or target.
- port : This filter allows you to indicate a specific port between 0 and 65535 which should be exclusively scanned.
- portrange : This filter contains a port range between 0 and 65535 that should be scanned exclusively.
- proto : This filter only takes into account packets with a specific network protocol. The filter can display the following values: arp, decnet, ether, fddi, ip, ip6, rarp, tcp, udp or wlan.
- src : with this filter, only packets whose source indicates a specific value are analyzed. This can be host, net, port or portrange.
Examples of using the tcpdump command¶
Finally, we explain in more detail how you can use tcpdump. In our examples, we use the sudo command on Linux.
First you check which network interfaces exist.
$ sudo tcpdump -i wlx14a3c782966b
bash
Here you analyze only the interface whose name is specified.
$ sudo tcpdump -c 5 -i wlx14a3c782966b
bash
With this tcpdump command, you instruct that only five packets be saved.