How to use Tcpdump packet analyzer


FromWikiperdia definition of this software: tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.[3] Distributed under the BSD license,[4] tcpdump is free software.

Tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, OpenWrt, macOS, HP-UX 11i, and AIX. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of libpcap.

i will try to give some examples from my Live Mint Linux

How to Install TCPDUMP in Linux


apt install   tcpdump

Fedora/ Centos

yum  install tcpdump
dnf install  tcpdump


Zypper  in  tcpdump


pacman -S tcpdump

About My Servers  its    Linux mint: with these Ethernet  devices

root@osradar-mint:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:5c:74:04 brd ff:ff:ff:ff:ff:ff
inet brd scope global dynamic noprefixroute enp0s3
valid_lft 74362sec preferred_lft 74362sec
inet6 2a02:a455:37bd:1:2ca6:1548:d1d8:80e7/64 scope global temporary dynamic
valid_lft 175508sec preferred_lft 74243sec
inet6 2a02:a455:37bd:1:4262:9eed:cf1c:815/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 175508sec preferred_lft 89108sec
inet6 fe80::fb51:c130:5a:c13e/64 scope link noprefixroute
valid_lft forever preferred_lft forever

1-Select interface that the capture is to take place

The command scroll up non-stop until you interrupt it. its  tracking  every package  going thru the devices (-i)   ( for other devices systems can be called eth0 or something else)

#tcpdump -i enp0s3

2-Find Traffic Using Ports and Port Ranges

in this way you can capture traffic on specific ports or from ports ranges. lets give  een example to find traffic on port 80

root@osradar-mint:~# tcpdump port 80
root@osradar-mint:~# tcpdump portrange 80-444

3-Find Traffic Based on Packet Size

Are you looking for packets of a particular size themn use these options. You can use options like less, greater,

# tcpdump less 16
# tcpdump greater 128
# tcpdump <= 8

4-Find Traffic by IP

One of the most common queries, this will show you traffic from whether it’s the source or the destination.

4-1-Filtering by Source and Destination

# tcpdump host

isolate traffic based on either source or destination using src and dst options.

# tcpdump src
# tcpdump dst

4-2-Finding Packets by Network

To find packets going to or from a particular network,

# tcpdump net

5-Capture and Save Packets in a File and read from file 

5-1-capture and save packets into a file

user (Control+c) to  interrupt  saving

# tcpdump -w file1.pcap -i enp0s3

5-2-Read the packets capter from the file.

  # tcpdump -r file1.pcap

6-Capture Only limited number of Packets

This example to get only 10 packets.  use the option of (-c)

tcpdump -c 9 -i enp0s3

7-How to Capture Packets in HEX and ASCII

The option of -XX capture the data of each packet, including its link level header in HEX and ASCII format.

# tcpdump -XX -i enp0s3

8-Capture Cookies from Server and from Client

Capturing cookies 🙂

9–Find SSH Connections

This is an very smart method to detect ssh Connection even from someome trying to connect to  a non-standard ssh port

 tcpdump  'tcp[(tcp[12]>>2):4] = 0x5353482D'

10-Capture Clear text  password

10-1-Extract HTTP Passwords in POST Requests

get some passwords from the POST data. Will include Host: so we know what the password is used for.

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

10-2-Capter Other clear password from other services 

 tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

11-Find Out Which Switch Port Connected to Server using tcpdump

In Corporate Environments,  you need to find out which Network switch and switch port are connected to which NIC of the server. to find out network switch and switch port which is connected to a NIC. please  use this  command:

tcpdump -nn -v -i  <NIC_INTERFACE>  -s 1500 -c 1 'ether[20:2] == 0x2000'

tcpdump is one of the top network analyzer tools and has tons of options to analyze your network from incoming and outgoing packets.


Please enter your comment!
Please enter your name here