How to capture traffic with tcpdump linux


Tcpdump is a  network traffic monitoring tool which uses for analyzing network packages. This knowledgebase describes how to capture all traffic for a specific port or protocol in Linux with  "tcpdump" tool. This method can save lots of time while debugging network or server related problems.

  • How to monitor all packages for a  Network device?

#tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
  • How to monitor all traffic for a specific port(HTTP)?

#tcpdump -i eth0 'port 8080'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
#tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'[/shell]

Capture all packages for port  8080  and print only packets that contain data.

#tcpdump 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
#tcpdump -vv -x -X -s 1500 -i eth1 'port 25'
  • How to monitor all traffic for a specific protocol?

#tcpdump -i eth0 ip
#tcpdump -i eth0 arp
#tcpdump -i eth0 udp
#tcpdump -i eth0 tcp
#tcpdump -i eth0 icmp
Option Details
-vv Get more verbose output
-x Print the data of each packet.
-s Capture full  packet size.By default  it's setted  to  68
-i Network  interface
-w Write the raw packets to a file rather than parsing and printing them out
-c Exit after receiving count packets that  specified.
-n Convert host adress to name
  • How to set  cron jobs  for  tcpdump?

Let's say every day for a specific  time your server getting a problem with network or package problem. You think that it can be related to a hacker attack. So you need to define a  cron job to find out the problem root cause.

This crontab job will capture  50000 packages at 01:00 for every day. Then you can check this file at a specified time.

#crontab  -e
0 1 * * * /usr/sbin/tcpdump -n -c 50000 -w /tmp/port.80..80.txt >/dev/null 2>&1 
#tcpdump -X -vv -r /tmp/port.80.80.txt
  • How to display all FTP sessions to host?

#tcpdump -i eth1 'dst hostxx and (port 21 or 20'
  • How to use  Wireshark to view detailed information about packages?

#tcpdump -n -i eth0 -s 0 -w outputx.txt src or dst port 8080
  • How to check packages which come from a specific host and port?

#tcpdump -s0 -nn -i eth1 host x.x.x.x and port 22
  • How to find out a specific network interface switch port number?

#tcpdump -nn -v -i eth5 -s 1500 -c 1 'ether[20:2]==0x2000'       // switch port  information with Cisco Discovery Protocol(CDP)
#tcpdump -v -i eth5 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)' // Vendor-neutral Data Link Layer protocol (LLDP)
#tcpdump -v -i eth5 -s 1500 -c 1 'ether[20:2] == 0x2000' 2>&1 |egrep 'Device-ID|Port-ID|VLAN'

Some  Useful Information:

UDP  Header
  0      7 8     15 16    23 24    31  
 +--------+--------+--------+--------+ 
 |     Source      |   Destination   | 
 |      Port       |      Port       | 
 +--------+--------+--------+--------+ 
 |                 |                 | 
 |     Length      |    Checksum     | 
 +--------+--------+--------+--------+ 
 |                                   | 
 |              DATA ...             |
 +-----------------------------------+
TCP Header
	0                   1                   2                   3   
	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|          Source Port          |       Destination Port        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                        Sequence Number                        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Acknowledgment Number                      |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|  Data |       |C|E|U|A|P|R|S|F|                               |
	| Offset|  Res. |W|C|R|C|S|S|Y|I|            Window             | 
	|       |       |R|E|G|K|H|T|N|N|                               |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|           Checksum            |         Urgent Pointer        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Options                    |    Padding    |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                             data                              |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IP  Header
	0                   1                   2                   3   
	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|Version|  IHL  |Type of Service|          Total Length         |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|         Identification        |Flags|      Fragment Offset    |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|  Time to Live |    Protocol   |         Header Checksum       |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                       Source Address                          |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Destination Address                        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Options                    |    Padding    |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                            DATA ...                           |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me

Related Post

TCP 3-Way Handshake