tcpdump: packet capture: tcpdump | LinuxLab

Basic syntax

tcpdump [-OPTIONS] [BPF-FILTER]

Minimal working commands:

bash

sudo tcpdump -i eth0                # capture everything on eth0

sudo tcpdump -i any                 # all interfaces

sudo tcpdump -i lo -nn -c 10        # 10 packets on loopback, no DNS resolution

Main flags

-i IFACE - interface (any for all)
-n - do not resolve addresses to names
-nn - do not resolve addresses or port numbers to service names (80 instead of http)
-c N - capture N packets and exit
-w FILE.pcap - write to file (readable by Wireshark)
-r FILE.pcap - read from file
-s SNAP - snaplen (how many bytes of each packet to save; 0 = full packet)
-e - show the L2 header (MAC addresses)
-X - hex dump of the payload
-A - ASCII payload (HTTP requests appear in plain text)
-vvv - maximum verbosity

BPF filters

The most powerful feature of tcpdump is its native BPF filter expression:

bash

tcpdump -i any 'host 8.8.8.8'

tcpdump -i eth0 'port 443'

tcpdump -i any 'tcp port 80 and host example.com'

tcpdump -i any 'icmp'

tcpdump -i any 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'   # SYN only

tcpdump -i any 'net 10.0.0.0/8'

tcpdump -i any 'not arp'

Main keywords:

host, src, dst - IP address
port, src port, dst port - port
tcp, udp, icmp, arp - protocol
net - subnet
and, or, not - logical operators

Parentheses must be escaped or wrapped in single quotes:

bash

tcpdump -i any '(port 80 or port 443) and host google.com'

Writing to pcap

bash

sudo tcpdump -i any -w capture.pcap 'tcp port 443'

# ... do something ...

Ctrl+C

ls -lh capture.pcap                 # check pcap file size

tcpdump -r capture.pcap -nn | head  # read it back

A pcap file opens in Wireshark, which provides a graphical parser for all protocols with color-coded field highlighting.

Watching a TCP handshake

To observe a tcp-handshake on loopback:

bash

sudo tcpdump -i lo -nn 'tcp port 8080' -c 6

# Flags [S],     seq 1000              <- SYN

# Flags [S.],    seq 5000, ack 1001    <- SYN-ACK

# Flags [.],     ack 5001              <- ACK

# Flags [P.],    seq 1001:1041, ack 5001  <- data with PUSH

Useful optimizations

-s 96 - capture headers only (when you care about flow, not payload). This cuts pcap file size significantly.
-G 60 -W 24 -w cap_%H%M.pcap - rotation: 60 seconds x 24 files = one hour of continuous capture without overflow.

§ команды

bash

sudo tcpdump -i any -nn 'tcp port 80' -c 20

First 20 HTTP packets on any interface

bash

sudo tcpdump -i any -w trace.pcap 'host 1.2.3.4'

Write all traffic to/from host 1.2.3.4 to a pcap file (Ctrl+C to stop)

bash

sudo tcpdump -i any -nn 'icmp'

ICMP traffic only. Useful for watching pings (see [[icmp]])

bash

sudo tcpdump -nei eth0 -c 5 'arp'

ARP packets with the L2 header (-e), showing who is looking for whom

bash

sudo tcpdump -i any -A 'tcp port 80' -c 5

ASCII payload. On HTTP traffic you see the GET request and Host header directly in the output.

Main flags

-i IFACE - interface (any for all)

-n - do not resolve addresses to names

-nn - do not resolve addresses or port numbers to service names (80 instead of http)

-c N - capture N packets and exit

-w FILE.pcap - write to file (readable by Wireshark)

-r FILE.pcap - read from file

-s SNAP - snaplen (how many bytes of each packet to save; 0 = full packet)

-e - show the L2 header (MAC addresses)

-X - hex dump of the payload

-A - ASCII payload (HTTP requests appear in plain text)

-vvv - maximum verbosity

BPF filters

The most powerful feature of tcpdump is its native BPF filter expression:

bash

tcpdump -i any 'host 8.8.8.8'

tcpdump -i eth0 'port 443'

tcpdump -i any 'tcp port 80 and host example.com'

tcpdump -i any 'icmp'

tcpdump -i any 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'   # SYN only

tcpdump -i any 'net 10.0.0.0/8'

tcpdump -i any 'not arp'

Main keywords:

host, src, dst - IP address

port, src port, dst port - port

tcp, udp, icmp, arp - protocol

net - subnet

and, or, not - logical operators

Parentheses must be escaped or wrapped in single quotes:

bash

tcpdump -i any '(port 80 or port 443) and host google.com'

Writing to pcap

bash

sudo tcpdump -i any -w capture.pcap 'tcp port 443'

# ... do something ...

Ctrl+C

ls -lh capture.pcap                 # check pcap file size

tcpdump -r capture.pcap -nn | head  # read it back

A pcap file opens in Wireshark, which provides a graphical parser for all protocols with color-coded field highlighting.

§ команды

bash

sudo tcpdump -i any -nn 'tcp port 80' -c 20

First 20 HTTP packets on any interface

bash

sudo tcpdump -i any -w trace.pcap 'host 1.2.3.4'

Write all traffic to/from host 1.2.3.4 to a pcap file (Ctrl+C to stop)

bash

sudo tcpdump -i any -nn 'icmp'

ICMP traffic only. Useful for watching pings (see [[icmp]])

bash

sudo tcpdump -nei eth0 -c 5 'arp'

ARP packets with the L2 header (-e), showing who is looking for whom

bash

sudo tcpdump -i any -A 'tcp port 80' -c 5

ASCII payload. On HTTP traffic you see the GET request and Host header directly in the output.

tcpdump: packet capture

Basic syntax

Main flags

BPF filters

Writing to pcap

Watching a TCP handshake

Useful optimizations

§ команды

§ см. также

§ упоминается в уроках

tcpdump: packet capture

Basic syntax

Main flags

BPF filters

Writing to pcap

Watching a TCP handshake

Useful optimizations

§ команды

§ см. также

§ упоминается в уроках