Tcpdump is a powerful command-line packet analyzer. This guide covers everything you need to know about capturing and analyzing network traffic with tcpdump.
Key areas covered:
# List available interfaces
tcpdump -D
# Capture on specific interface
tcpdump -i eth0
# Capture with verbose output
tcpdump -i eth0 -v
# Save capture to file
tcpdump -i eth0 -w capture.pcap
# Read from capture file
tcpdump -r capture.pcap
# Display packet contents
tcpdump -i eth0 -X
# Limit number of packets
tcpdump -i eth0 -c 100# Capture only TCP traffic
tcpdump -i eth0 tcp
# Capture traffic on specific port
tcpdump -i eth0 port 80
# Capture traffic to/from host
tcpdump -i eth0 host 192.168.1.1
# Capture specific protocol
tcpdump -i eth0 icmp
# Combine filters
tcpdump -i eth0 'tcp and port 80'
# Source/destination filters
tcpdump -i eth0 src host 192.168.1.1
tcpdump -i eth0 dst port 443# TCP flags
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'
# Packet size filters
tcpdump -i eth0 'len > 1000'
# MAC address filters
tcpdump -i eth0 'ether host 00:11:22:33:44:55'
# VLAN filters
tcpdump -i eth0 'vlan 100'
# Complex boolean logic
tcpdump -i eth0 '(tcp and port 80) or (udp and port 53)'
# Packet content matching
tcpdump -i eth0 'tcp[32:4] = 0x47455420' # GET# HTTP traffic
tcpdump -i eth0 -A 'tcp port 80'
# DNS queries
tcpdump -i eth0 'udp port 53'
# HTTPS traffic
tcpdump -i eth0 'tcp port 443'
# ICMP traffic
tcpdump -i eth0 'icmp[icmptype] = icmp-echo'
# ARP traffic
tcpdump -i eth0 'arp'
# NTP traffic
tcpdump -i eth0 'udp port 123'# Timestamp options
tcpdump -i eth0 -tttt # Human readable time
tcpdump -i eth0 -ttt # Delta time
# Verbose output levels
tcpdump -i eth0 -v # Verbose
tcpdump -i eth0 -vv # More verbose
tcpdump -i eth0 -vvv # Even more verbose
# ASCII output
tcpdump -i eth0 -A # ASCII
tcpdump -i eth0 -X # Hex and ASCII
# Quiet output
tcpdump -i eth0 -q # Less protocol info
# Custom format
tcpdump -i eth0 -l | awk '{print $3}'# Buffer size
tcpdump -i eth0 -B 4096
# Snapshot length
tcpdump -i eth0 -s 96
# No name resolution
tcpdump -i eth0 -n # No DNS
tcpdump -i eth0 -nn # No DNS or port names
# Rotate capture files
tcpdump -i eth0 -W 5 -C 1 -w capture.pcap
# Monitor mode
tcpdump -i wlan0 --monitor-mode# Detect SYN flood
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and not tcp[tcpflags] & (tcp-ack) != 0'
# Monitor SSH attempts
tcpdump -i eth0 'tcp port 22'
# Detect port scanning
tcpdump -i eth0 'tcp[tcpflags] == tcp-syn'
# Monitor DNS tunneling
tcpdump -i eth0 'udp port 53 and length > 100'
# Track suspicious IPs
tcpdump -i eth0 'host 192.168.1.100'
# Monitor large packets
tcpdump -i eth0 'length > 1500'Tcpdump is an essential tool for network analysis and security monitoring. By mastering its features and following best practices, you can effectively capture and analyze network traffic.
Remember to use appropriate filters and consider security implications when capturing network traffic.