Using tcpdump to analyze traffic
Linux comes with a wide variety of network utilities to choose from. Tcpdump is a powerful network tool that can capture and analyze network traffic if you need to troubleshoot network problems on Linux.
Let's practice with the tcpdump command and explore how to use it to capture network traffic.
Install tcpdump in Linux
Tcpdump comes pre-installed with all mainstream Linux distributions and security-based alternatives, so you should be able to use it right away by typing tcpdump with the sudo prefix.
In case you are unable to run the tcpdump command and stuck at the error "tcpdump: command not found" , let's learn how to install tcpdump on Linux machine.
To install tcpdump, fire up a terminal and run the command corresponding to the Linux distribution you are currently using:
On Debian/Ubuntu derivatives, run:
sudo pacman -S tcpdump
On Arch-based systems, run:
sudo pacman -S tcpdump
To install the tcpdump utility on Fedora, CentOS, and RHEL, issue the following command:
sudo dnf install tcpdump
Note that if you are asked to install libcap, enter Yes or Y as this is a core dependency, otherwise tcpdump will refuse to start. This will install the tcpdump utility and resolve the "command not found" error .
Now that tcpdump is installed on your system, let's explore the different options and functionalities it offers.
Capture network traffic with tcpdump
Tcpdump provides a lot of flags to modify its execution but it can also be run as a standalone command. However, running tcpdump without any flags or arguments will miss its full potential. It is better to use some flags to tweak the execution and output as needed.
Enter this command to monitor network transmissions using tcpdump:
sudo tcpdump
Now, tcpdump will start automatically capturing network packets until a interrupt signal is sent with the Ctrl + Z shortcut , interrupting the process manually. To limit the total number of packets captured, use the -c flag and enter the desired packet limit next to it:
sudo tcpdump -c 5
If you can't understand the output right now, you first need to get familiar with the tcpdump output format.
Check available network interfaces with tcpdump
By default, tcpdump captures traffic from any available network interface. If there are multiple network interfaces active, you may want to specify the network interface from which tcpdump will capture packets. To start tcpdump on a specific interface, you will first have to find out the interface name.
Here's how to list all available network interfaces with tcpdump:
sudo tcpdump -D
Alternatively, you can add the --list-interface flag to the command:
sudo tcpdump --list-interfaces
The returned output contains a list of all active network interfaces that tcpdump can listen on. To configure tcpdump to capture transmissions from a specific network interface, enter the following command:
sudo tcpdump -i interface_id
Alternatively, you can add the --interface flag to the command:
sudo tcpdump --interface interface_id
Now that you have captured a few packets, let's take a closer look at them and see how you can tweak the output to make it more readable.
Explore tcpdump filters
Tcpdump has the potential to capture a large amount of traffic in a single run. Such an information overload can throw you off track when investigating or troubleshooting a problem with a particular host or network protocol.
This is where tcpdump filters come in handy. You can chain the tcpdump command with certain flags to filter out network traffic and capture specific packets. You can then store these packets and analyze them later to find the root of any network-related issues. Let's take a look at how to use filters in tcpdump.
Packet filtering based on the network protocol being used
To filter packets transmitted over a specific protocol, enter the protocol name using the tcpdump command and it will capture only packets transmitted over the specified network protocol.
For example, to capture ICMP-based packets, you simply append icmp to the end of the tcpdump command. The process is the same if you only want to capture UDP or TCP packets.
sudo tcpdump -c 5 icmp
This command will only return output if there is data exchange via the ICMP protocol.
Host-based packet filtering
You can configure tcpdump to capture packets related to a single host with the host parameter. This is especially useful when all systems on your network are up and running except for one. This filter allows you to perform targeted investigations and speeds up the overall troubleshooting process because you are not distracted by unnecessary data.
To capture packets related to a specific host, specify the host's network address with the host parameter:
sudo tcpdump -c 5 host 192.168.2.1
Similar to the network protocol filter, this command will only return output if any ongoing transmissions are related to the specified host.
Active Port Based Packet Filtering
Tcpdump comes equipped with a parameter that allows you to filter network traffic and capture only packets transmitted to or from a specific port.
To capture packets coming from a specific port, append the port flag to the tcpdump command and specify the port number next to it. For example, to capture all incoming or outgoing HTTP traffic, specify port 80:
sudo tcpdump -c 5 port 80
Tcpdump will listen on port 80, waiting for HTTP transmissions. When it detects HTTP packets in the network, it will capture them.
Combine filters together for advanced sorting
The previous sections discussed how you can filter traffic based on port, protocol, or host, but what if you want to capture traffic from a specific host's port using a specific network protocol? Well, you're in luck because this is possible, thanks to the ability to use logical operators with the tcpdump command.
To capture packets from an individual host using port 443, use the following command:
sudo tcpdump -c 5 host 192.168.2.1 and port 443
Check the contents of captured packets
By default, tcpdump displays the headers of a packet in its output. While this is more than enough in most cases, sometimes you may want or need to take a deeper look at the captured data. You can pass certain parameters to the tcpdump command to examine the contents of the captured packet.
Here's how to view the contents of the packages:
sudo tcpdump -c 5 -x
This command returns the hex version of the contents of a captured packet. If you want to see the ASCII form of the data, you can pass the -A parameter with:
sudo tcpdump -A
Save tcpdump output to a file
Like most other Linux command line tools, you can save the output generated by tcpdump to a file for later reference.
This can be done by adding the -w flag to the command. Once executed, tcpdump will store the captured data in a .pcap file for later analysis using tcpdump or other network monitoring tools like Wireshark.
Enter this command to save your tcpdump command output to a file:
sudo tcpdump -w capture.pcap
To read the .pcap file, you can use tcpdump with the -r parameter :
sudo tcpdump -r capture.pcap
Linux offers a plethora of networking tools that can solve any networking problem as long as it is on the software side. Knowing how to use some of the best networking tools in Linux will definitely come in handy, whether you are a sysadmin who manages networks for a living or just a daily Linux user.
Since the actual list of available network commands can be overwhelming, here is a list of some of the most important Linux networking tools you should know.
You should read it
- Solve the real problem with the Network Diagnostic function
- Learn AZ from Direct Traffic on Google Analytics
- 20 tips and tricks for mastering Google Analytics data (Part 2)
- The best real-time NetFlow analysis and collection tool
- Data analysis with Network Monitor
- What is data analysis?
- What is malware analysis? How are the steps taken?
- What is Deep Packet Inspection (DPI)? How does it work and how does it work in network security?
- Network testing with Network Monitor 3.4 - Part 1
- Summary of penalties for violations of traffic errors of motorcycles and cars
- How to prioritize specific network traffic on a Wi-Fi router
- The best Event log software and analysis tools