tcpdump command in Linux captures and analyses network traffic arriving at or departing from the system. System administrators mostly use it for network troubleshooting and security testing. It also captures non-TCP packets such as UDP, ARP, or ICMP.
tcpdump is a powerful tool that allows you to use filters and capture only the specific information on a network interface. Moreover, you can save the information in a .pcap
file that can be read by the tcpdump command or Wireshark.
How to install tcpdump
If tcpdump is not installed, you can use the following commands to get tcpdump according to your Linux distribution.
Install tcpdump on CentOS, RHEL, and Fedora
$ sudo dnf install tcpdump
Install tcpdump on Ubuntu and Debian
$ sudo apt install tcpdump
Syntax to use tcpdump
The basic syntax for tcpdump command is as follows:
tcpdump [options] [expression]
The expression indicates the packets to be captured.
You will require a sudo or root user account to run the tcpdump command. You will get a permission denied error if you execute the command as an unprivileged user.
Different examples to use tcpdump command
1. Capture packets on default network interfaces
When tcpdump command is used without any options and expressions, it captures the packets from the system network interface. tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, eth0
.
$ sudo tcpdump
Sample Output:
2. List available interfaces
The tcpdump command with -D
flag displays a list of all available network interfaces in the system.
$ sudo tcpdump -D
Sample Output:
3. Capture packets from a specific network interface
The -i
option lets you capture packets arriving at or departing from a particular interface.
$ sudo tcpdump -i enp0s8
Sample Output:
4. Capture a specific number of packets
By default, tcpdump captures packets until you cancel the command. With -c
option, you can capture a specific number of packets.
The following command prints 10
packets going to and from the interface enp0s8
.
$ sudo tcpdump -c 10 -i enp0s8
Sample Output:
5. Display packets in HEX and ASCII format
You can print packets in HEX and ASCII format using the -XX
option.
$ sudo tcpdump -XX
Sample Output:
6. Print captured packets in only ASCII format
The -A
option tells tcpdump to display captured packets in ASCII values.
$ sudo tcpdump -A -i enp0s8
Sample Output:
7. Write packets to a file (Save tcpdump output)
The -w
option allows you to capture and save the packets to a .pcap
format file instead of printing them out.
$ sudo tcpdump -w output.pcap -i enp0s8
Sample Output:
8. Read packets from a file
To read captured packets from a file created by -w
option, you have to use -r
option.
$ sudo tcpdump -r output.pcap
Sample Output:
9. Capture packets with IP addresses (Convert hostname to IP Address)
The -n
option tells the tcpdump command not to convert host addresses to hostnames. As a result, the IP addresses are printed on the output.
$ sudo tcpdump -n -i enp0s8
Sample Output:
10. Capture only TCP packets
To print only TCP traffic with the tcpdump command, you have to specify tcp
to the command.
$ sudo tcpdump -i enp0s8 tcp
Sample Output:
11. Capture only UDP packets
You can specify udp
in the command to print only the UDP traffic.
$ sudo tcpdump -i enp0s8 udp
Sample Output:
Conclusion
tcpdump is a powerful command that helps to capture and analyze packets on a network interface. It can come in handy to troubleshoot connectivity issues.
This article has discussed different options and their usage in the tcpdump command. If you have any confusion, do let us know via comments.
What's Next
Analyse Slow Networks with TCP Zero Window - Wireshark
5 system tools to monitor network traffic in Linux with examples
Further Reading