TCPDump Tutorial with Examples for Packet Analysis

TCPDump is an extremely useful command-line packet analyzer tool that comes pre-installed on most Linux distributions. It allows you to capture and analyze network traffic going through your system. In this comprehensive tcpdump tutorial, we will explore some common tcpdump examples to demonstrate its powerful capabilities.

Confirming TCPDump is Installed

Before using tcpdump, verify it is installed on your system by running:

tcpdump --version

This should print out the version information if tcpdump is present:

tcpdump version 4.9.3
libpcap version 1.9.1
OpenSSL 1.1.1k  25 Mar 2021

Viewing the TCPDump Help Page

It‘s always a good idea to consult the help page to understand all available options:

tcpdump --help

This prints out a detailed help section explaining the various flags and formats supported by tcpdump. Going through this helps you construct more focused captures later on.

Listing Available Capture Interfaces

The first step is to determine which interfaces are available for packet capture.

Execute the following to list interfaces:

tcpdump -D

This should print the interface list, for example:

1.enp0s3 [Up, Running]
2.lo [Up, Running, Loopback]
3.bluetooth0 [Up]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]

Here we see enp0s3 is the primary ethernet interface.

Capturing Packets on an Interface

Let‘s start capturing packets on the enp0s3 interface using:

sudo tcpdump -i enp0s3

This will start printing network activity to stdout. The output contains metadata about the traffic including:

• Timestamp
• Source & Destination IP addresses
• Protocol (TCP, UDP etc.)
• Source & destination port numbers

To stop the capture, press Ctrl+C.

Here‘s a snapshot of tcpdump collecting packet data:

By default tcpdump will keep capturing packets until told to stop.

Limiting Packet Capture Count

Use the -c flag to restrict capture count. For example, to capture only 5 packets:

sudo tcpdump -c 5 -i enp0s3

Once 5 packets are collected, the capture stops automatically.

This mode is very useful when you wish to sample a small subset of traffic.

Capturing Packets in ASCII

To view capture output in ASCII rather than hex, use -A:

sudo tcpdump -c 5 -i enp0s3 -A 

Now the output contains the packet payload data in ASCII form:

This allows you to quickly inspect text-based protocols like HTTP, DNS etc.

Capturing Packets in HEX and ASCII

To capture both hex and ASCII, use the -XX flag instead of -A. This prints both hex on the left and ASCII on the right:

sudo tcpdump -c 5 -i enp0s3 -XX

Here‘s how a packet looks with -XX:

This format provides the most details about the packets coming across.

Saving Capture to a File

To save capture output to a file instead of printing to stdout, specify a filename with -w:

sudo tcpdump -w capture.pcap -i enp0s3

Now tcpdump will write to the file capture.pcap instead of showing on-screen.

Use -c to stop after a specific count:

sudo tcpdump -w capture.pcap -c 5 -i enp0s3

This command extracts 5 packets to the file.

Reading Capture Files

To read from capture files saved previously with -w, provide the filename to -r:

sudo tcpdump -r capture.pcap

This will print the contents to stdout so you can analyze what‘s inside.

Capturing IP Layer Packets Only

The tips so far capture entire packets across layers 2, 3 and 4.

To restrict to IP (layer 3) packets only, use -n:

sudo tcpdump -nn -c 5 -i enp0s3

This strips off layer 2 header info, leaving only IP packet details:

The resulting data contains IP addresses, protocol numbers, length etc. but no MAC addresses.

Using -n simplifies captures by focusing on the IP layer which is most relevant for inspection in many cases. The -nn option prevents protocol and port number resolution, displaying their raw numeric values instead for additional precision.

Capturing TCP Packets Only

To capture TCP packet types only:

sudo tcpdump -nn -c 5 -i enp0s3 tcp

This extracts 5 TCP packets exclusively, discarding any other packet types.

To capture UDP only, substitute udp instead of tcp.

Capturing Packets on a Specific Port

To grab packets communicating over a particular TCP or UDP port:

sudo tcpdump -nn -i enp0s3 port 3306

This captures traffic on port 3306 alone.

Modify the port parameter to any value you wish, for example port 80 to watch HTTP traffic only.

Filtering by IP Address

We can also filter by source or destination IP using additional expressions.

To grab packets from a specific source IP:

sudo tcpdump -nn -c 5 -i enp0s3 src 192.168.1.5

To restrict by destination IP instead:

sudo tcpdump -nn -c 5 -i enp0s3 dst 203.0.113.35 

You can customize these source/destination values to hone in on subnets and machines you want to analyze.

Putting It All Together

Let‘s combine multiple filters to create an advanced packet capturing statement:

sudo tcpdump -nn -c 10 -i enp0s3 src 192.168.1.1 and tcp port 3306  

This:

1. Captures 10 packets only (-c 10)
2. Monitors enp0s3 interface (-i enp0s3)
3. Filters source IP (-src 192.168.1.1)
4. Grabs TCP protocol packets (tcp)
5. Listens on destination port 3306 only (port 3306)

Applying filters like this provides fine-grained control over each capture session. Construct the filters based on exactly what traffic you wish to inspect.

Conclusion

This guide provided a tcpdump tutorial to help you get started analyzing network packets right from your Linux terminal. We went over several practical examples including reading/saving capture files, filtering by protocols, IP addresses etc.

Tcpdump is highly flexible – review the official man pages to discover additional options. Advanced features like conditional capturing, logical operators, regex matching etc. further extend its power and scope. With practice, you can precision-target the precise packet streams you want to unpack.