$ sudo apt install tcpdump -y
List Network Interfaces
$ sudo tcpdump -D
1.eth0 [Up, Running] 2.eth1 [Up, Running] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.lo [Up, Running, Loopback] 5.nflog (Linux netfilter log (NFLOG) interface) 6.nfqueue (Linux netfilter queue (NFQUEUE) interface)
Capture packets from a particular ethernet interface using
$ sudo tcpdump -i eth0
You can use the -v option to increase the verbosity of the output, or -vv and -vvv to increase it even further.
$ sudo tcpdump -i eth0 -vv
If you don’t want tcpdump to endlessly output data to your terminal, you can use the -c option to specify how many packets you’d like the utility to capture. tcpdump will quit executing the command after the threshold has been reached, rather than waiting for you to interrupt. The following command will allow us to capture only the first 15 packets.
$ sudo tcpdump -c 15
If you don’t want tcpdump to perform DNS resolution on the network addresses in the output, you can use the -n option in your command. This will display all network addresses as IP addresses, rather than resolving them to domain names.
$ sudo tcpdump -n
If you would rather save the network traffic output to file, instead of having it listed on your screen, you can always redirect the tcpdump output with the usual > and >> operators.
$ sudo tcpdump > traffic.txt
Another option is to write the network capture to file. These files usually have the .pcap file extension, and can’t be read by an ordinary text editor.
$ sudo tcpdump -n -w traffic.pcap
To open the file for later analysis, use the -r option and the name of your file.
$ sudo tcpdump -r traffic.pcap
To read pcap files, you will need tcpick or tcpxtractor wireshark
Interpret tcpdump command output
Each packet that tcpdump captures is written as an individual line. One of those lines will look something like this:
23:36:59.581280 IP 126.96.36.199.22 > 188.8.131.52.53357: Flags [P.], seq 448976:449152, ack 1761, win 501, length 176
Here’s how to interpret that line of data:
23:36:59.581280 - Timestamp of when the packet was captured. IP 184.108.40.206.22 - IP and port number of the source host. 220.127.116.11.53357 - IP and port number of the destination host. Flags [.] - TCP flags (SYN, ACK, PSH, etc). [.] means ACK. ack 2915 - The acknowledgment number. win 63000 - The window number (bytes in receiving buffer). length 0 - The length of the payload data.
$ sudo tcpdump -i eth0 port 80
Filter records with source and destination IP
To Capture packets from a source IP you can use the following command:
$ sudo tcpdump -i eth0 src 192.168.1.1
You can monitor packets from a destination IP as well with the command below:
$ tcpdump -i eth0 dst 192.168.1.1