What is tcpdump?
tcpdump is a common packet analyzer that allows the user to display TCP/IP and other packets being transmitted or received over a network. tcpdump works on most Unix-like operating systems: Linux, Solaris, FreeBSD, DragonFly BSD, NetBSD, OpenBSD, Openwrt, macOS, HP-UX 11i, and AIX. tcpdump utilizes the libpcap library to capture packets.
tcpdump is also available on Windows in the form of a port called WinDump; it uses WinPcap, the ported version of libpcap.
How to use tcpdump
To get an overview of the options that are available, you can run the following command to display the help menu:
To get started specify the interface to be used and the host whose traffic you want to analyze:
tcpdump -i <interfacename> -v host <ipaddressofhost>
You can also specify the IP address of the destination and analyze the traffic ending on that host:
tcpdump -i eth0 -v dst ipaddress
You can use different filters to capture specific traffic based on the source and destination, for example we can specify the source and destination IP addresses to narrow down our analysis:
tcpdump -i eth0 -v dst ipaddress and src ipaddress
Additionally, you can also scan traffic of the entire subnet with the following command:
tcpdump -i eth0 -v net 192.168.0.1/254
You can also analyze protocols specific data with the name of a protocol whose traffic you want to analyze:
tcpdump -i eth0 -v tcp and net ipaddress with range
Exporting captured traffic
A great feature of tcpdump is the ability to export or capture traffic directly to a .pcap file for later analysis or for use in Wireshark. You can easily do this by running the following command:
tcpdump -w /root/Desktop/name.pcap -i eth0 -v ‘src port 443 and dst ipaddress’