tcpdump Command: Tutorial & Examples

A tool for network diagnostics

The tcpdump command is a powerful tool for network diagnostics and data traffic analysis. This command-line utility allows you to capture and analyze network traffic going in and out of your system.

Understanding how tcpdump works is vital for diagnosing network failures and other complex network issues. It is also invaluable for security audits, as it can reveal suspicious activity on your network.

How does tcpdump work

tcpdump works by putting the network interface card (NIC) into promiscuous mode. In this mode, the NIC passes all traffic it receives to the CPU rather than just the packets intended for it. tcpdump uses a packet capture library to capture the network packets that your system is receiving or sending.

Why is tcpdump important

Network problems can be tricky to diagnose. tcpdump allows you to see the network packets in real time or from a saved capture file. This insight can be vital when troubleshooting complex network issues, such as a slow network connection or network failure.

Typical tcpdump usage

Here are some examples of how to use the tcpdump command:

tcpdump -i eth0

This command will start capturing all packets on the eth0 interface.

tcpdump -i eth0 -w /tmp/capture.pcap

The -w option allows you to write the packet data to a file for later analysis.

tcpdump -r /tmp/capture.pcap

You can read from a capture file using the -r option.

tcpdump -i eth0 port 80

To filter the traffic by port number, simply specify the port after the interface.

Typical output of tcpdump

A typical output of tcpdump might look something like this:

14:23:45.678901 IP 192.0.2.1.12345 > 203.0.113.1.80: Flags [.], seq 54321:54361, ack 1, win 512, length 40

This output shows a packet sent from IP 192.0.2.1, port 12345, to IP 203.0.113.1, port 80. The flags indicate the control bits set in the TCP header (e.g., SYN, ACK), and the sequence number, acknowledgement number, and window size are also displayed.

Conclusion

The tcpdump command is a powerful and flexible network tool that every Linux system administrator should be familiar with. Its ability to capture and analyze network traffic can be invaluable when diagnosing network issues or performing security audits.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA