The tcpdump command is a very useful tool when troubleshooting networks. In this article, we’ll go over some examples of how to use tcpdump on Linux and what they mean.
1. Capture packet for a specific port
- Capture packet for a specific port
The following command will capture packets from the eth0 interface, which is the default network interface and all incoming packets on this device will be captured by tcpdump.
tcpdump -i eth0 port 80
2. Capture packet for specific interface
If you want to capture only packets on a specific interface, use the -i option followed by the interface name. For example, if you want to capture only packets sent from or received by wlan1:
3. Capture only ICMP traffic
If you want to only capture ICMP traffic, use the -cicmp option. For example:
tcpdump -i eth0 -cicmp icmp
4. Capture all traffic except ICMP
To capture all traffic except ICMP:
- $ sudo tcpdump -i eth0 -nnX
- This command will capture all the packets on interface eth0 except ICMP, convert IP addresses to numbers and only keep TCP packets (or only TCP packets).
5. Capture only ARP traffic
- Capture only ARP traffic
If you want to capture only ARP packets, and ignore all other network traffic on the network interface, then you can use the “-n” switch with tcpdump. For example:
$ sudo tcpdump -neth0 arp
This command will capture only those packets that contain an Ethernet header, with no data (i.e., just the header). The “-n” option tells tcpdump not to convert IP addresses into names or show any other human-readable information in its output.[^5]
6. Capture TCP traffic excluding port 22 and 80
To capture traffic that does not include 22 and 80, you can use the following command:
tcpdump -v -i eth0 -x tcp and ! port 22,! port 80 -w /tmp/output.pcap
7. Capture only UDP traffic on port 69
To capture only UDP traffic on port 69, run the following command:
tcpdump -i eth0 -n -w /tmp/udp-69.pcap udp and port 69
8. Capture packets that have port 22 or 53 or 80 (OR operation)
You can also use tcpdump to capture packets that have a particular port number.
For example, let’s say you want to capture all packets that have port 22 (or ssh). You would use this command:
- tcpdump -i eth0 ‘port 22’
This will show all the traffic that has been sent or received with port 22 in it. Now if you want all the traffic that has both ports 80 and 443 in it, then use this command: * tcpdump -i eth0 ‘tcp port 80 or 443’
Tcpdump is a very handy tool that allows you to troubleshoot networks at the packet level. One of its advantages is that it doesn’t require any additional software, such as Snort, to be installed on your system and therefore won’t add extra load on your system. In this tutorial we will look at some tcpdump examples that can be used for network monitoring and troubleshooting purposes.