in Resources

How to Capture and Analyze Network Traffic with tcpdump

Tcpdump is a ubiquitous command-line packet analyzer that can assist with a wide variety of network troubleshooting tasks. Experts consider it an essential tool for gaining visibility into network traffic and debugging problems quickly. In this comprehensive guide, I‘ll explain everything you need to know to leverage tcpdump for monitoring network activity and security analysis.

Overview

Tcpdump comes pre-installed on Linux, Unix and macOS systems. It captures packets and prints header and payload data in a human-readable format. With support for filters, you can capture very specific packets to analyze.

While GUI tools like Wireshark have more features, tcpdump has some advantages:

  • Lightweight – consumes less system resources than Wireshark
  • Available – already installed on most systems
  • Powerful – offers advanced filters for traffic analysis

According to technology analyst firm Gartner, nearly 65% of large enterprises use command-line packet analyzers like tcpdump for network infrastructure monitoring and troubleshooting.

Tcpdump usage has grown significantly with trends like cloud computing and microservices that increase the need for network visibility across complex environments.

Installing tcpdump

Tcpdump comes pre-installed on Linux, Unix and macOS systems. You can confirm this by running:

tcpdump --version

If it‘s not already installed, use your system‘s package manager to install it:

Debian/Ubuntu

sudo apt update
sudo apt install tcpdump

RHEL/CentOS

sudo yum install tcpdump

macOS

brew install tcpdump

Now let‘s discuss the key concepts and capabilities of tcpdump.

Listing available interfaces

You‘ll need to know the name of the network interface you want to capture traffic on.

Run the command:

tcpdump -D

This lists interfaces on your system that support packet capture.

For example:

1.eth0 
2.any  
3.lo    
4.docker0

Take note of the interface you want to use, such as eth0.

Capturing packets

With the interface name, you can start capturing packets using: 

sudo tcpdump -i eth0

This will print output on screen whenever a packet is received by the eth0 interface.

Let‘s break down what each section of output represents:

05:03:38.077145 IP 10.106.1.23.ssh > 192.168.1.34.59202: P 5:45(40) ack 6 win 64240
  • 05:03:38.077145 – Timestamp in HH:MM:SS format
  • IP – Protocol used
  • 10.106.1.23.ssh – Source IP and port
  • 192.168.1.34.59202 – Destination IP and port
  • P – TCP PUSH flag
  • 5:45(40) – TCP sequence numbers and segment size
  • ack 6 – TCP acknowledgement number
  • win 64240 – Advertised TCP window size

To stop capturing data, press CTRL+C.

Understanding tcpdump output

By default tcpdump resolves IP addresses to hostnames and port numbers to service names from /etc/services.

To view IP addresses and ports instead, use -n: 

sudo tcpdump -n -i eth0

To print extremely verbose output showing the link-level headers, use -vv:

sudo tcpdump -vv -i eth0

To limit capture to a specific number of packets, use -c. For example to capture only 5 packets:

sudo tcpdump -c 5 -i eth0

Viewing timestamps

By default, tcpdump shows Unix epoch timestamps.

For human-readable timestamps in YYYY-MM-DD HH:MM:SS format, use -tttt: 

sudo tcpdump -tttt -i eth0

Easy-to-read timestamps help correlate packets with events from other system logs.

Saving captures to disk

To save captured packets in a file instead of printing to screen, use -w:

sudo tcpdump -w capture.pcap -i eth0

This saves packets to a file called capture.pcap in pcap format.

You can read saved captures later using -r: 

tcpdump -r capture.pcap

Saving captures allows offline analysis or sharing them for troubleshooting.

Filtering captured packets

One of tcpdump‘s most useful features is advanced packet filtering. Rather than capturing everything, you can use expressions to capture only traffic matching specific criteria.

Some examples of filters:

Filter by port

Capture only HTTP traffic (port 80): 

sudo tcpdump -i eth0 port 80

Multiple ports can also be specified:

tcpdump port 22 or port 80

Filter by host IP

Capture traffic to/from a specific IP address:

tcpdump host 10.106.1.23

Filter by source/destination

Show traffic from a source IP to a destination IP:

tcpdump src 10.106.1.23 and dst 192.168.1.34

Filter by protocol

Capture only UDP packets:

tcpdump udp

Protocols like tcp, udp, icmp etc. can be used.

Combine expressions

Filters can be combined to further refine captures:

tcpdump ‘src 10.106.1.23 and tcp port 80‘

This captures only TCP 80 traffic from IP 10.106.1.23.

Complex filters are possible with and, or, not operators.

Analyzing packet contents

By default tcpdump shows limited header information. To print entire packet contents, use -A: 

sudo tcpdump -c1 -i eth0 -A

This prints packet data for 1 packet capture in ASCII format.

Hex output can be enabled with -x:

sudo tcpdump -c1 -x -i eth0

This reveals complete raw bytes of the packet header & payload.

Real-world troubleshooting with tcpdump

Instead of just theory, let‘s discuss practical examples of leveraging tcpdump:

Discover unauthorized services

Monitor traffic for unusual protocols or port numbers that could indicate backdoors or hidden services: 

tcpdump ‘port ! 22 and port ! 80 and port ! 443‘

Verify failover is working

Check if traffic is reaching the backup server after failing over from primary:

tcpdump ip 172.16.1.14

Detect malformed DNS traffic

Monitor DNS responses for errors indicating DNS spoofing attempts:

tcpdump port 53 -vv

Similarly, tcpdump can assist with troubleshooting a number of network-related problems – latency, loss, outages and more by inspecting live traffic.

tcpdump vs Wireshark

While tcpdump provides raw analysis, tools like Wireshark offer a graphical interface and more higher level details.

However, tcpdump has low overhead so it can be left running continuously with less impact whereas Wireshark is more intrusive.

In summary,

tcpdump

  • Command line based
  • Lightweight, less impact
  • Advanced filters
  • Raw analysis

Wireshark

  • Graphical interface
  • In-depth analysis
  • Reconstruct sessions
  • View protocol trees
  • More system intensive

So tcpdump complements Wireshark. Use ongoing tcpdump monitoring to identify issues and Wireshark for detailed analysis.

Conclusion

I‘ve covered tcpdump extensively – from basic packet captures to applying advanced filters and analyzing network issues.

Tcpdump is included on most Unix-like OSes and can provide low-level insight into traffic flowing across your infrastructure. With this guide, you should be well-equipped to leverage tcpdump for your network troubleshooting needs.

Let me know if you have any other questions!

Regards,
[Your name]

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.