How to install and use TCPdump (capture packets)
Introduction
In this tutorial, we’re going to bring you a popular network tool you should know about in order to correctly manage your networks.
We are assuming that you have root permission, otherwise, you may start commands with “sudo”.
Install TCPdump
TCPdump is a powerful command-line packet analyzer tool which used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. it’s available on every Linux flavor for free of course.
Install TCPdump on CentOS:
yum install tcpdump
Install TCPdump on Debian and Ubuntu:
apt-get install tcpdump
Once the TCPdump tool is installed, you can continue to browse following commands.
Capture packets from a specific interface
If you execute the TCPdump command with the “-i” flag you can name an interface and the TCPdump tool will start capture that specific interface packets for you.
tcpdump -i eth0
Capture only specific number of packets
Using “-c” flag will allow you to capture a specific number of packets, for example, with the command below we can capture 20 packets of our eth0 interface:
tcpdump -i eth0 -c 20
Print captured packets in ASCII
The below TCPdump command with the flag “-A” displays the packages in ASCII format. it’s a character-encoding scheme format.
tcpdump -i eth0 -A
Display available interfaces
To get a list of available interfaces on the system you can run the following command:
tcpdump -D
Capture and save packets in a file
TCPdump has a feature to capture and save its result in a “.pcap” file, to do this just execute:
tcpdump -w eth0.pcap -i eth0
If you don’t use “-c” flag it will start capturing eth0 and write the result to the output file until you break it with “Ctrl+c”.
For read and analyze the file that you just created execute:
tcpdump -r eth0.pcap
Capture IP address packets
If you want to capture your network interface and analyze the IP address you can use the “-n” flag it will stop translating IP addresses into Hostnames and This can be used to avoid DNS lookups.
tcpdump -n -i eth0
Capture only TCP packets
To capture packets based on TCP ports, add a “tcp” in your command:
tcpdump -i eth0 -c 20 -w tcpanalyze.pcap tcp
Capture packets from a specific port
Let’s assume you want to monitor on a specific port like 80, you can use the following command to do that with TCPdump:
tcpdump -i eth0 port 80
Filter records with source and destination IP
To Capture packets from a source IP you can use the following command:
tcpdump -i eth0 src 192.168.1.1
You can monitor packets from a destination IP as well with the command below:
tcpdump -i eth0 dst 192.168.1.1
You can find more information about TCPdump on its official website!