Introduction to Tcpdump packets
Using Tcpdump to analyze network traffic
Photo by Philipp Katzenberger on Unsplash
Tcpdump is a command-line packet analysis tool. Much like Wireshark, you can use Tcpdump to capture and analyze packets, troubleshoot connection issues, and look for potential security issues on a network. Tcpdump is a portable command-line utility that can be used even when a GUI is not available, and when Wireshark is not installed.
Today, let’s take a look at how to use Tcpdump to analyze packets! Open up your terminal and follow along.
First, before we go on, remember that Tcpdump needs the ability to capture raw data packets and manipulate network interfaces to be able to operate. This means that you need to run Tcpdump as a superuser. So all of the commands that I will introduce today should be used with “Sudo”.
First, you can use the “-D” flag to list the interfaces available for capture.
$ sudo tcpdump -D1.en0 [Up, Running]
2.bridge0 [Up, Running]
3.p2p0 [Up, Running]
4.awdl0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.en2 [Up, Running]
8.lo0 [Up, Running, Loopback]
Let’s start capturing some packets. You can use the “-i” flag to specify the interface that you want to capture. Specifying “any” as the interface will capture from all active interfaces. You can also configure Tcpdump to capture a particular interface.
$ sudo tcpdump -i any
$ sudo tcpdump -i eth1
Now, you should start seeing packet details in your terminal! Tcpdump will continue to capture packets until you interrupt it by pressing “Ctrl+C”. You can also use the “-v” flag to adjust the level of verbosity in Tcpdump’s output.
$ sudo tcpdump -i any -v (Verbose output)
$ sudo tcpdump -i any -vv (Even more verbose output)
$ sudo tcpdump -i any -vvv (The most verbose output)
Tcpdump has a variety of filters that allow you to capture only packets that fit your criteria. First, you can filter capture traffic based on protocol. For example, this command will listen to all TCP connections.
$ sudo tcpdump tcp
If you are only interested in traffic for a specific port, you can use the “port” filter to target your analysis.
$ sudo tcpdump port 80
This command will capture all traffic going through port 80. If you are more specific and want to capture traffic that has port 80 as their source or destination port, you can use the following commands.
$ sudo tcpdump src port 80 (Source port is 80)
$ sudo tcpdump dest port 80 (Destination port is 80)
On the other hand, if you are only interested in traffic for a specific host, you can use the “host” filter. The “host” filter can also be combined with an “src” or “dest” filter.
$ sudo tcpdump host 18.104.22.168
$ sudo tcpdump src host 22.214.171.124 (Source host is 126.96.36.199)
$ sudo tcpdump dest host 188.8.131.52 (Destination host is 184.108.40.206)
Finally, you can even combine multiple filters in Tcpdump! You can combine filters by using boolean statements such as “and”, or “or”.
$ sudo tcpdump “src port 80” and “dst host 220.127.116.11”
$ sudo tcpdump “src port 80” or “src port 443”
Saving the output
You can save the captured packets into a file rather than printing them out by using the “-w” flag.
$ sudo tcpdump tcp -w PATH_TO_FILE
If you want Tcpdump both to save and print the packets, you can use the “ — print” flag in conjunction with the “-w” flag.
$ sudo tcpdump tcp -w PATH_TO_FILE --print
This saved file can later be read using the “-r” flag.
$ sudo tcpdump -r PATH_TO_FILE
Decoding the output
The output of Tcpdump is format dependant. A typical output line for TCP looks like this.
17:42:53.490718 IP 192.168.0.1.443 > 192.168.0.114.59509: Flags [.], ack 1, win 67, length 0
The first field, “17:42:53.490718” is the timestamp of the captured packet. Next, “IP” represents the network layer protocol, which in this case was IPv4.
The next field is the source IP and port. “ 192.168.0.1.443” means that the source IP was “192.168.0.1” and the source port was 443. Similarly, “192.168.0.114.59509” represents the destination IP and port.
“Flags [.]” represents the TCP flags. In this case, the TCP ACK flag was set. This is followed by the ACK number, “ack 1”. And the next field is the window size “win 67”, and finally, the packet length “length 0”.
There are more fields in the output for different protocol types, please check Tcpdump’s documentation for more information.
Reading packet contents
Finally, how do you read the contents of the captured packets? In Tcpdump, you can print out the packet contents by using the “-A” flag. For example, let’s say that we are trying to capture packets of some HTTP traffic.
$ sudo tcpdump port 80 -A
You can run this command then access a page using HTTP. You will see the packet contents printed out in plain text.
Accept-Encoding: gzip, deflate
Tcpdump is a powerful packet analysis tool. Today, we looked at the basic usages of Tcpdump. For more information about the tool, and more functionalities to explore, visit Tcpdump’s manual page here: https://www.tcpdump.org/manpages/tcpdump.1.html.