Never Ending Security

It starts all here

TCPdump Commands Cheatsheet


tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. tcpdump also gives us an option to save captured packets in a file for future analysis. It saves the data in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier).

How to Install tcpdump in Linux

Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command.

# yum install tcpdump

Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples.

Capture Packets from Specific Interface

tcpdump command it will captures from all the interfaces by default, with -i switch it will only capture from a specific interface.

# tcpdump -i eth0

Capture Only N Number of Packets

Using -c switch, you can capture specified number of packets. The below example will only capture 4 packets.

# tcpdump -c 5 -i eth0

Print Captured Packets in ASCII

The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.

# tcpdump -A -i eth0

Display Available Interfaces

To list number of available interfaces on the system, run the following command with -D option.

# tcpdump -D

Display Captured Packets in HEX and ASCII

The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.

# tcpdump -XX -i eth0

Capture and Save Packets in a File

As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

# tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.

# tcpdump -r 0001.pcap

Capture IP address Packets

To capture packets for a specific interface, run the following command with option -n.

# tcpdump -n -i eth0

Capture only TCP Packets.

To capture packets based on TCP port, run the following command with option tcp.

# tcpdump -i eth0 tcp

Capture Packet from Specific Port

Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.

# tcpdump -i eth0 port 22

Capture Packets from source IP

To capture packets from source IP, say you want to capture packets for, use the command as follows.

# tcpdump -i eth0 src

Capture Packets from destination IP

To capture packets from destination IP, say you want to capture packets for, use the command as follows.

# tcpdump -i eth0 dst

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s