Install, Configure, and Use TCPDUMP on Ubuntu, CentOS, and Linux
☰ In this chapter, you will learn
- How to Install TCPDUMP on Ubuntu/CentOS/Linux
- How to use TCPDUMP?
What is TCPDUMP?
TCPdump is a network analyzer tool that filters TCP/IP packets over a network. It is a command-line tool that is almost pre-installed with every Linux distribution. In this article, you will learn how to use TCPdump to analyze and fix network-related issues on a Linux environment.
TCPdump is not only used for capturing TCP/IP packets but also captures UDP, ARP, or ICMP packets. This command-line utility is very popular among network administrators as it is used for analyzing and troubleshooting network issues.
Let's start by installing and configuring TCPdump and begin monitoring your network traffic.
Check version
Before installing this tool, you must check whether it is already installed on your distribution. You can check for this utility as follows:
tcpdump -versiontcpdump version 4.99.1 libpcap version 1.10.1 (with TPACKET_V3) OpenSSL 3.0.2 15 Mar 2022
If you don't get any output or it says "tcpdump: command not found", you can start installing this tool using the following method.
Installation
Debian based system (Ubuntu):
sudo apt update && sudo apt install tcpdumpRPM based system (CentOS):
sudo yum install tcpdumpConfiguration
Capture all packets
To start capturing, run the following command. Make sure to stop capturing packets using the Ctrl + C command
sudo tcpdump09:05:54.652440 IP 112.11.196.152.52244 > 103.77.111.8.https: Flags [.], ack 2265916, win 604, options [nop,nop,TS val 945214041 ecr 1881410676], length 0 09:05:54.707419 IP 112.11.196.152.52244 > 103.77.111.8.https: Flags [.], ack 2267184, win 625, options [nop,nop,TS val 945214096 ecr 1881410676], length 0 09:05:54.732399 IP 103.77.111.8.https > 112.11.196.152.52244: Flags [.], seq 2267184:2268452, ack 1, win 243, options [nop,nop,TS val 1881410756 ecr 945214011], length 1268 09:05:54.742210 IP 103.77.111.8.https > 112.11.196.152.52244: Flags [.], seq 2268452:2269720, ack 1, win 243, options [nop,nop,TS val 1881410766 ecr 945214041], length 1268 09:05:54.742332 IP 112.11.196.152.52244 > 103.77.111.8.https: Flags [.], ack 2269720, win 625, options [nop,nop,TS val 945214130 ecr 1881410756], length 0 ^C 5015 packets captured 5461 packets received by filter 441 packets dropped by kernel Capture only 10 packets.
If you want to capture only a limited number of packets, such as 10, 15, 20, etc., execute the following commands.
sudo tcpdump -c 10List available network interface
If you don't specify the network interface manually, the tcpdump commands will filter packets from the first running interface. You can see all the available network interfaces as follows:
sudo tcpdump -D1.eth0 [Up, Running, Connected] 2.any (Pseudo-device that captures on all interfaces) [Up, Running] 3.lo [Up, Running, Loopback] 4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 7.dbus-system (D-Bus system bus) [none] 8.dbus-session (D-Bus session bus) [none]
Capture packets on selected interface:
You can also specify the network interface on which you only want to analyze the packets.
sudo tcpdump -i eth0Capture packets from all the available interface.
sudo tcpdump -i anySave output into a File
TCPDump allows you to capture and save output into a ".pcap" file.
tcpdump -w eth0.pcap -i eth0See the file:
tcpdump -r eth0.pcapCapture packets from a specific port
tcpdump -i eth0 port 80TCPDump is not the only solution for capturing and analyzing network packets; you can also use Wireshark for analyzing network packets.