How to Capture Network Traffic in Linux With tcpdump
Linux comes equipped with a plethora of networking utilities to choose from. tcpdump is one such powerful networking tool that can capture and analyze network traffic should you need to troubleshoot network errors on Linux.
Let’s get hands-on with the tcpdump command and explore how to use it to capture network traffic.
Installing tcpdump in Linux
tcpdump usually comes pre-installed withall mainstream Linux distributionsand security-based alternatives. So you should be able to use it right away by typing intcpdumpwith asudoprefix.
In case you are unable to run the tcpdump command and are stuck at the “tcpdump: command not found” error, let’s learn how to install tcpdump on your Linux machine.
To install tcpdump, fire up the terminal and run the command corresponding to the Linux distro that you’re currently using:
On Debian/Ubuntu derivatives, run:
OnArch-based systems, run:
To install the tcpdump utility on Fedora, CentOS, and RHEL, issue the following command:
Note that if you’re asked to installlibcap, type inYesorYas it is a core dependency, without which tcpdump will refuse to start up. This should install the tcpdump utility and solve the “command not found” error.
Now that tcpdump has been installed on your system, let’s explore the different options and functionalities it offers.
Capturing Network Traffic With tcpdump
tcpdump offers a lot of flags to modify its execution but it can be run as a standalone command as well. However, running tcpdump without any flags or arguments would be neglecting its full potential. It’s always better to use a few flags to tweak the execution and output as necessary.
Type in this command to monitor network transmissions with tcpdump:
Now tcpdump will start to automatically capture network packets untilan interrupt signalis sent withCtrl + Zto break the process manually. To limit the total number of packets captured, use the-cflag and type in the desired limit of packets next to it:
If you can’t make sense of the output right now, you need toget familiar with the tcpdump output formatfirst.
Check Available Network Interfaces With tcpdump
By default, tcpdump captures traffic from any of the available network interfaces. If you have multiple active network interfaces in use, you might want to define the network interface from which tcpdump should capture packets. To start tcpdump on a specific interface, you will have to first learn about the interface name.
Here’s how to list all available network interfaces with tcpdump:
Or, it’s possible to add the–list-interfacesflag to the command:
The output returned contains a list of all the active network interfaces that tcpdump can listen to. To configure tcpdump to capture transmissions from a particular network interface, type in this command:
Or, you can add the–interfaceflag to the command:
Now that we have captured a few packets, let’s study them closely and learn how you can tweak the output to be more readable.
Exploring tcpdump Filters
tcpdump is capable of capturing an overwhelming amount of traffic in a single run. Such information overload can throw you off track when investigating or troubleshooting issues with a specific host or network protocol.
Here’s where the tcpdump filters come into play. You can append the tcpdump command with certain flags to filter out the network traffic and capture specific packets. You can then store those packets and later analyze them to get to the root of any network-related problems. Let’s learn how to use filters in tcpdump.
Filter Packets Based on the Network Protocol in Use
To filter packets transmitted via a specific protocol, type in the protocol name with the tcpdump command, and it will only capture packets traveling via the defined network protocol.
For example, to capture ICMP-based packets, you would simply attachicmpat the end of the tcpdump command. The process is the same if you wish to capture only UDP or TCP packets.
This command will only return output if there is an exchange of data through the ICMP protocol.
Filter Packets Based on the Host
You can configure tcpdump to capture packets related to a single host with thehostparameter. This is especially useful when all the systems of your network are functioning except for one. This filter lets you perform targeted investigation and speeds up the overall troubleshooting workflow since you aren’t distracted by unnecessary data.
To capture packets related to a specific host, define the host’s network address with thehostparameter:
Similar to the network protocol filter, this command will only return output if any ongoing transmission is related to the defined host.
Filter Packets Based on the Active Port
tcpdump is equipped with a parameter that lets you filter network traffic and capture only packets that are transmitted to or from a specific port.
To capture packets coming from a specific port, append theportflag to the tcpdump command and define the port number next to it. For instance, to capture any incoming or outgoing HTTP traffic, define port 80:
tcpdump will listen on port 80, waiting for HTTP transmissions. Once it detects HTTP packets in the network, it will capture them.
Combine Filters Together for Advanced Sorting
Previous sections discussed how you can filter traffic based on port, protocol, or host, but what if you wanted to capture traffic from a single port of a specific host using a particular network protocol? Well, you’re in luck because this is possible, attributing to the ability to use logical operators with the tcpdump command.
To capture packets from an individual host using port 443, use this command:
Inspect the Contents of Captured Packets
By default, tcpdump displays the headers of a packet in the output. While it is more than enough in most cases, sometimes, you might want to or need to look deeper into the captured data. You can pass certain parameters with the tcpdump command to inspect the content of the captured package.
Here’s how to view the content of the packets:
This command returns the hex version of the content in a captured packet. If you wish to view the ASCII form of the data, you’re able to pass the-Aparameter with:
Save tcpdump Output to a File
Like almost any other Linux command-line tool, you can store the output produced by tcpdump into a file to be referenced later.
This can be done by adding the-wflag to the command. Upon execution, tcpdump will store the captured data into a.pcapfile that can be later analyzed with tcpdump or other network monitoring tools like Wireshark.
Type in this command to store your tcpdump command’s output into a file:
To read a.pcapfile, you’re able to use tcpdump with the-rparameter:
The Best Networking Tools for Linux
Linux ships with a plethora of networking tools that can solve every network issue as long as it’s on the software side of things. Knowing how to use a few of the best networking tools in Linux will definitely come in handy, whether you’re a sysadmin managing networks for a living or just an everyday Linux user.
Since the actual list of available networking commands can be too much to fathom, here’s a list of some of the most important Linux networking tools that you should know.
Want to know how to manage network and DNS settings in Linux? These commands will help you.
OneDrive is one of the best, but it has a catch.
You’re not getting the most out of what you pay for iCloud+.
Who asked for these upgrades?
I plugged random USB devices into my phone and was pleasantly surprised by how many actually worked.
Windows is great, but adding this makes it unstoppable.
