LabEx
Log In Join For Free

Linux tcpdump Command with Practical Examples

LinuxLinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to use the powerful tcpdump command to capture and analyze network traffic on a Linux system. The tcpdump command is a widely-used network packet analyzer tool that allows you to monitor and inspect network packets in real-time, making it a valuable tool for network troubleshooting, security analysis, and understanding network behavior. The lab will cover the basics of using tcpdump, including capturing network traffic and filtering the output to focus on specific types of network activity.

Linux Commands Cheat Sheet

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("`Linux`")) -.-> linux/RemoteAccessandNetworkingGroup(["`Remote Access and Networking`"]) linux/RemoteAccessandNetworkingGroup -.-> linux/ip("`IP Managing`") subgraph Lab Skills linux/ip -.-> lab-422952{{"`Linux tcpdump Command with Practical Examples`"}} end

Introduction to tcpdump Command

In this step, you will learn about the tcpdump command, a powerful network packet analyzer tool used to capture and analyze network traffic on Linux systems.

The tcpdump command allows you to monitor and inspect network packets in real-time, making it a valuable tool for network troubleshooting, security analysis, and understanding network behavior.

Let's start by installing the tcpdump package on our Ubuntu 22.04 Docker container:

sudo apt-get update
sudo apt-get install -y tcpdump

Example output:

Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [114 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2,276 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2,644 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [11.3 kB]
Fetched 5,255 kB in 2s (2,627 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libpcap-dev libpcap0.8 tcpdump
Suggested packages:
  tcpdump-dbg
The following NEW packages will be installed:
  libpcap-dev libpcap0.8 tcpdump
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 521 kB of archives.
After this operation, 1,455 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpcap0.8 amd64 1.10.1-5ubuntu1 [146 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpcap-dev amd64 1.10.1-5ubuntu1 [185 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 tcpdump amd64 4.99.1-3ubuntu1 [190 kB]
Fetched 521 kB in 0s (3,837 kB/s)
Selecting previously unselected package libpcap0.8:amd64.
(Reading database ... 14289 files and directories currently installed.)
Preparing to unpack .../libpcap0.8_1.10.1-5ubuntu1_amd64.deb ...
Unpacking libpcap0.8:amd64 (1.10.1-5ubuntu1) ...
Selecting previously unselected package libpcap-dev:amd64.
Preparing to unpack .../libpcap-dev_1.10.1-5ubuntu1_amd64.deb ...
Unpacking libpcap-dev:amd64 (1.10.1-5ubuntu1) ...
Selecting previously unselected package tcpdump.
Preparing to unpack .../tcpdump_4.99.1-3ubuntu1_amd64.deb ...
Unpacking tcpdump (4.99.1-3ubuntu1) ...
Setting up libpcap0.8:amd64 (1.10.1-5ubuntu1) ...
Setting up libpcap-dev:amd64 (1.10.1-5ubuntu1) ...
Setting up tcpdump (4.99.1-3ubuntu1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...

Now that we have installed tcpdump, let's explore some basic usage:

sudo tcpdump -i any -n

Example output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:32.792941 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 1, length 64
16:25:32.793005 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 1, length 64
16:25:33.792998 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 2, length 64
16:25:33.793058 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 2, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

The -i any option tells tcpdump to capture traffic on all available network interfaces, and -n suppresses the DNS resolution of IP addresses, which can slow down the capture process.

This command will start capturing network traffic and display the captured packets in real-time. You can press Ctrl+C to stop the capture.

Capturing Network Traffic with tcpdump

In this step, you will learn how to use the tcpdump command to capture network traffic and analyze the captured packets.

Let's start by capturing all network traffic on the default network interface:

sudo tcpdump -i any -c 10

Example output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:29:56.832591 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 3, length 64
16:29:56.832648 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 3, length 64
16:29:57.832607 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 4, length 64
16:29:57.832663 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 4, length 64
16:29:58.832617 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 5, length 64
16:29:58.832673 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 5, length 64
16:29:59.832628 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 6, length 64
16:29:59.832684 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 6, length 64
17:00:00.832638 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 1, seq 7, length 64
17:00:00.832694 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 1, seq 7, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel

The -c 10 option tells tcpdump to capture a maximum of 10 packets and then exit.

You can also capture packets and save them to a file for later analysis:

sudo tcpdump -i any -w network_capture.pcap

This command will start capturing network traffic and save it to a file named network_capture.pcap. Press Ctrl+C to stop the capture.

To view the captured packets, you can use a network protocol analyzer tool like Wireshark. Alternatively, you can use the tcpdump command to analyze the captured file:

sudo tcpdump -r network_capture.pcap

This will display the contents of the network_capture.pcap file.

Filtering Network Traffic with tcpdump

In this step, you will learn how to use tcpdump to filter network traffic based on various criteria, such as IP addresses, ports, and protocols.

Let's start by capturing only the HTTP traffic:

sudo tcpdump -i any -c 10 tcp port 80

Example output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:04:01.832648 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [S], seq 3569349168, win 64240, options [mss 1460,sackOK,TS val 1000 ecr 0,nop,wscale 7], length 0
17:04:01.832702 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [S.], seq 2662318800, ack 3569349169, win 65160, options [mss 1460,sackOK,TS val 1000 ecr 1000,nop,wscale 7], length 0
17:04:01.832736 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1, win 502, length 0
17:04:01.832747 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [P.], seq 1:74, ack 1, win 502, length 73
17:04:01.832766 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [.], ack 74, win 512, length 0
17:04:01.832774 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [P.], seq 1:1449, ack 74, win 512, length 1448
17:04:01.832785 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1449, win 502, length 0
17:04:01.832793 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [F.], seq 74, ack 1449, win 502, length 0
17:04:01.832807 IP 172.17.0.1.80 > 172.17.0.2.49154: Flags [F.], seq 1449, ack 75, win 512, length 0
17:04:01.832815 IP 172.17.0.2.49154 > 172.17.0.1.80: Flags [.], ack 1450, win 502, length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernel

The tcp port 80 filter tells tcpdump to only capture packets on TCP port 80, which is the standard port for HTTP traffic.

You can also filter by IP addresses:

sudo tcpdump -i any -c 10 host 172.17.0.2

This will capture the first 10 packets to or from the IP address 172.17.0.2.

Additionally, you can combine multiple filters:

sudo tcpdump -i any -c 10 tcp port 80 and host 172.17.0.2

This will capture the first 10 packets that are HTTP traffic to or from the IP address 172.17.0.2.

Summary

In this lab, you will learn how to use the tcpdump command, a powerful network packet analyzer tool, to capture and analyze network traffic on a Linux system. You will start by installing the tcpdump package on an Ubuntu 22.04 Docker container. Then, you will learn how to capture network traffic using tcpdump, including filtering the captured data based on various criteria such as source and destination IP addresses, port numbers, and protocols. By the end of this lab, you will have a solid understanding of how to leverage tcpdump for network troubleshooting, security analysis, and understanding network behavior.

Linux Commands Cheat Sheet

Other Linux Tutorials you may like

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

LinuxShell
Beginner
Linux for Noobs

Linux for Noobs

LinuxShell
Intermediate
Practice Linux Commands

Practice Linux Commands

LinuxShell
Beginner

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy