FromWikiperdia definition of this software: tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.
Tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of libpcap.
i will try to give some examples from my Live Mint Linux
How to Install TCPDUMP in Linux
apt install tcpdump
yum install tcpdump dnf install tcpdump
Zypper in tcpdump
pacman -S tcpdump
About My Servers its Linux mint: with these Ethernet devices
root@osradar-mint:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:5c:74:04 brd ff:ff:ff:ff:ff:ff inet 192.168.2.19/24 brd 192.168.2.255 scope global dynamic noprefixroute enp0s3 valid_lft 74362sec preferred_lft 74362sec inet6 2a02:a455:37bd:1:2ca6:1548:d1d8:80e7/64 scope global temporary dynamic valid_lft 175508sec preferred_lft 74243sec inet6 2a02:a455:37bd:1:4262:9eed:cf1c:815/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 175508sec preferred_lft 89108sec inet6 fe80::fb51:c130:5a:c13e/64 scope link noprefixroute valid_lft forever preferred_lft forever
1-Select interface that the capture is to take place
The command scroll up non-stop until you interrupt it. its tracking every package going thru the devices (-i) ( for other devices systems can be called eth0 or something else)
#tcpdump -i enp0s3
2-Find Traffic Using Ports and Port Ranges
in this way you can capture traffic on specific ports or from ports ranges. lets give een example to find traffic on port 80
root@osradar-mint:~# tcpdump port 80 root@osradar-mint:~# tcpdump portrange 80-444
3-Find Traffic Based on Packet Size
Are you looking for packets of a particular size themn use these options. You can use options like less, greater,
# tcpdump less 16 # tcpdump greater 128 # tcpdump <= 8
4-Find Traffic by IP
One of the most common queries, this will show you traffic from 18.104.22.168 whether it’s the source or the destination.
4-1-Filtering by Source and Destination
# tcpdump host 22.214.171.124
isolate traffic based on either source or destination using src and dst options.
# tcpdump src 10.0.0.1 # tcpdump dst 10.0.0.254
4-2-Finding Packets by Network
To find packets going to or from a particular network,
# tcpdump net 192.168.2.0/24
5-Capture and Save Packets in a File and read from file
5-1-capture and save packets into a file
user (Control+c) to interrupt saving
# tcpdump -w file1.pcap -i enp0s3
5-2-Read the packets capter from the file.
# tcpdump -r file1.pcap
6-Capture Only limited number of Packets
This example to get only 10 packets. use the option of (-c)
tcpdump -c 9 -i enp0s3
7-How to Capture Packets in HEX and ASCII
The option of -XX capture the data of each packet, including its link level header in HEX and ASCII format.
# tcpdump -XX -i enp0s3
8-Capture Cookies from Server and from Client
Capturing cookies 🙂
9–Find SSH Connections
This is an very smart method to detect ssh Connection even from someome trying to connect to a non-standard ssh port
tcpdump 'tcp[(tcp>>2):4] = 0x5353482D'
10-Capture Clear text password
10-1-Extract HTTP Passwords in POST Requests
get some passwords from the POST data. Will include Host: so we know what the password is used for.
tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
10-2-Capter Other clear password from other services
tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
11-Find Out Which Switch Port Connected to Server using tcpdump
In Corporate Environments, you need to find out which Network switch and switch port are connected to which NIC of the server. to find out network switch and switch port which is connected to a NIC. please use this command:
tcpdump -nn -v -i <NIC_INTERFACE> -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump is one of the top network analyzer tools and has tons of options to analyze your network from incoming and outgoing packets.