Install and Using TCPDUMP on Debian 10

  Networking

Install tcpdump

$ sudo apt install tcpdump -y

List Network Interfaces

$ sudo tcpdump -D

Output

1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)

Capture packets from a particular ethernet interface using

$ sudo tcpdump -i eth0

You can use the -v option to increase the verbosity of the output, or -vv and -vvv to increase it even further.

$ sudo tcpdump -i eth0 -vv

If you don’t want tcpdump to endlessly output data to your terminal, you can use the -c option to specify how many packets you’d like the utility to capture. tcpdump will quit executing the command after the threshold has been reached, rather than waiting for you to interrupt. The following command will allow us to capture only the first 15 packets.

$ sudo tcpdump -c 15

If you don’t want tcpdump to perform DNS resolution on the network addresses in the output, you can use the -n option in your command. This will display all network addresses as IP addresses, rather than resolving them to domain names.

$ sudo tcpdump -n

If you would rather save the network traffic output to file, instead of having it listed on your screen, you can always redirect the tcpdump output with the usual > and >> operators.

$ sudo tcpdump > traffic.txt

Another option is to write the network capture to file. These files usually have the .pcap file extension, and can’t be read by an ordinary text editor.

$ sudo tcpdump -n -w traffic.pcap

To open the file for later analysis, use the -r option and the name of your file.

$ sudo tcpdump -r traffic.pcap

To read pcap files, you will need tcpick or tcpxtractor wireshark

Interpret tcpdump command output

Each packet that tcpdump captures is written as an individual line. One of those lines will look something like this:

23:36:59.581280 IP 143.110.237.64.22 > 70.112.179.47.53357: Flags [P.], seq 448976:449152, ack 1761, win 501, length 176

Here’s how to interpret that line of data:

    23:36:59.581280 - Timestamp of when the packet was captured.
    IP 143.110.237.64.22 - IP and port number of the source host.
    70.112.179.47.53357 - IP and port number of the destination host.
    Flags [.] - TCP flags (SYN, ACK, PSH, etc). [.] means ACK.
    ack 2915 - The acknowledgment number.
    win 63000 - The window number (bytes in receiving buffer).
    length 0 - The length of the payload data.

Specific Port

$ sudo tcpdump -i eth0 port 80

Filter records with source and destination IP

To Capture packets from a source IP you can use the following command:

$ sudo tcpdump -i eth0 src 192.168.1.1

You can monitor packets from a destination IP as well with the command below:

$ tcpdump -i eth0 dst 192.168.1.1