Introduction to Tcpdump packets

Using Tcpdump to analyze network traffic

$ sudo tcpdump -D1.en0 [Up, Running]
2.bridge0 [Up, Running]
3.p2p0 [Up, Running]
4.awdl0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.en2 [Up, Running]
8.lo0 [Up, Running, Loopback]
9.vboxnet0 [Running]
10.gif0
11.stf0
$ sudo tcpdump -i any
$ sudo tcpdump -i eth1
$ sudo tcpdump -i any -v (Verbose output)
$ sudo tcpdump -i any -vv (Even more verbose output)
$ sudo tcpdump -i any -vvv (The most verbose output)

Protocol filters

Tcpdump has a variety of filters that allow you to capture only packets that fit your criteria. First, you can filter capture traffic based on protocol. For example, this command will listen to all TCP connections.

$ sudo tcpdump tcp

Port filters

If you are only interested in traffic for a specific port, you can use the “port” filter to target your analysis.

$ sudo tcpdump port 80
$ sudo tcpdump src port 80 (Source port is 80)
$ sudo tcpdump dest port 80 (Destination port is 80)

Host filters

On the other hand, if you are only interested in traffic for a specific host, you can use the “host” filter. The “host” filter can also be combined with an “src” or “dest” filter.

$ sudo tcpdump host 1.2.3.4
$ sudo tcpdump src host 1.2.3.4 (Source host is 1.2.3.4)
$ sudo tcpdump dest host 1.2.3.4 (Destination host is 1.2.3.4)

Combining filters

Finally, you can even combine multiple filters in Tcpdump! You can combine filters by using boolean statements such as “and”, or “or”.

$ sudo tcpdump “src port 80” and “dst host 1.2.3.4”
$ sudo tcpdump “src port 80” or “src port 443”

Saving the output

You can save the captured packets into a file rather than printing them out by using the “-w” flag.

$ sudo tcpdump tcp -w PATH_TO_FILE
$ sudo tcpdump tcp -w PATH_TO_FILE --print
$ sudo tcpdump -r PATH_TO_FILE

Decoding the output

The output of Tcpdump is format dependant. A typical output line for TCP looks like this.

17:42:53.490718 IP 192.168.0.1.443 > 192.168.0.114.59509: Flags [.], ack 1, win 67, length 0

Reading packet contents

Finally, how do you read the contents of the captured packets? In Tcpdump, you can print out the packet contents by using the “-A” flag. For example, let’s say that we are trying to capture packets of some HTTP traffic.

$ sudo tcpdump port 80 -A
Host: www.example.com
Connection: keep-alive
User-Agent: Mozilla/5.0
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://www.example.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=71mapjkikro59donut84n0cfms0

Conclusion

Tcpdump is a powerful packet analysis tool. Today, we looked at the basic usages of Tcpdump. For more information about the tool, and more functionalities to explore, visit Tcpdump’s manual page here: https://www.tcpdump.org/manpages/tcpdump.1.html.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store