How to run a packet capture using tcpdump Linux CLI

This is a quick reference on how to to run a packet capture using tcpdump on Linux Based Operating Systems.

1. tcpdump -D

This will list the available interfaces.

root@test:~# tcpdump -D
1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.eth2 [Up, Running]

2. tcpdump -i

This will capture all traffic on the specified interface.

root@test:~# tcpdump -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes

2. tcpdump port

You can filter the traffic by specifying the port number.

The following examples filters by interface and port number. If you run the command without specifying the interface it will select the first interface (eth0 in this case).

root@test:~# tcpdump -i eth2 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:00:21.501011 IP 10.0.125.10.44516 > google-public-dns-a.google.com.http: Flags [S], seq 4102846987, win 29200, options [mss 1460,sackOK,TS val 26158995 ecr 0,nop,wscale 7], length 0
13:00:22.500454 IP 10.0.125.10.44516 > google-public-dns-a.google.com.http: Flags [S], seq 4102846987, win 29200, options [mss 1460,sackOK,TS val 26159245 ecr 0,nop,wscale 7], length 0

3. tcpdump src

Filter based on source IP address.

root@test:~# tcpdump src 10.0.125.10 -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:03:52.900872 IP 10.0.125.10.44520 > google-public-dns-a.google.com.http: Flags [S], seq 1863096986, win 29200, options [mss 1460,sackOK,TS val 26211845 ecr 0,nop,wscale 7], length 0

4. tcpdump dst

Filter based on destination IP address.

root@test:~# tcpdump dst 8.8.8.8 -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:07:49.548608 IP 10.0.125.10.44522 > google-public-dns-a.google.com.http: Flags [S], seq 2687856649, win 29200, options [mss 1460,sackOK,TS val 26271007 ecr 0,nop,wscale 7], length 0

5. tcpdump host

Filter based on host IP address.

root@test:~# tcpdump host 10.0.125.10 -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:12:39.924415 IP 10.0.125.10.44524 > google-public-dns-a.google.com.http: Flags [S], seq 2438985162, win 29200, options [mss 1460,sackOK,TS val 26343601 ecr 0,nop,wscale 7], length 0

6. tcpdump net

Filter based on subnet.

root@test:~# tcpdump net 10.0.125.0/24 -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:15:27.052086 IP 10.0.125.10.44526 > google-public-dns-a.google.com.http: Flags [S], seq 2268200896, win 29200, options [mss 1460,sackOK,TS val 26385383 ecr 0,nop,wscale 7], length 0

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s