tcpdump – Traffic Capture & Analysis Tutorial

What is tcpdump?

tcpdump is a common packet analyzer that allows the user to display TCP/IP and other packets being transmitted or received over a network. tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, Openwrt, macOS, HP-UX 11i, and AIX. tcpdump utilizes the libpcap library to capture packets.

tcpdump is also available on Windows in the form of a port called WinDump; it uses WinPcap, the ported version of libpcap.

How to use tcpdump

To get an overview of the options that are available, you can run the following command to display the help menu:

tcpdump -h

To get started specify the interface to be used and the host whose traffic you want to analyze:

tcpdump -i <interfacename> -v host <ipaddressofhost>

You can also specify the IP address of the destination and analyze the traffic ending on that host:

tcpdump -i eth0  -v dst ipaddress

Using Filters

You can use different filters to capture specific traffic based on the source and destination, for example we can specify the source and destination IP addresses to narrow down our analysis:

tcpdump -i eth0 -v dst ipaddress and src ipaddress

Additionally, you can also scan traffic of the entire subnet with the following command: 

tcpdump -i eth0 -v net 192.168.0.1/254

You can also analyze protocols specific data with the name of a protocol whose traffic you want to analyze:

tcpdump -i eth0 -v tcp and net ipaddress with range

Exporting captured traffic

A great feature of tcpdump is the ability to export or capture traffic directly to a .pcap file for later analysis or for use in Wireshark. You can easily do this by running the following command:

tcpdump -w /root/Desktop/name.pcap -i eth0 -v ‘src port 443 and dst ipaddress’

 

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Please Login to comment
  Subscribe  
Notify of