Capture Packets with Tcpdump
Tcpdump is a powerful network debugging tool that can be used for intercepting and displaying packets on a network interface. An important feature of tcpdump is a filter that allows you to display only the packets you want to see.
In this example, we are using Ubuntu 8.10, but the installation steps are similar for other Linux distributions. The following command installs tcpdump under Ubuntu:
sudo apt-get install tcpdump
sudo tcpdump [options] [filter expression]
By default, tcpdump captures packets on eth0. We can specify a
different interface using the
-i command line flag. This command
captures all packets on the eth1 interface:
sudo tcpdump -i eth1
In the following example, we will listen to all UDP connections:
sudo tcpdump udp
Use this command to capture packets for a specific port:
sudo tcpdump port 80
Our command is returning all packets which have port 80 as their destination or source port.
Now let’s be more specific and capture only packets with destination port 80. If you have a web server on your cloud, you can use the command below to see incoming packets.
sudo tcpdump dst port 80
You can also capture packets for a specific host. This command catches packets coming only from IP 126.96.36.199:
sudo tcpdump src host 188.8.131.52
Tcpdump can take logical arguments such as
and, as well as
can use logical statements in a tcpdump command. For example, this command catches
all the SSH packets going from an SSH server to a client with IP
sudo tcpdump "src port 22" and "dst host 184.108.40.206"
Raw packets can be conveniently saved to a file using the ‘-w’ option:
tcpdump host 220.127.116.11 -w /home/users/demo/demo.dump
Let’s read the saved file:
tcpdump -r /home/users/demo/demo.dump
Tcpdump is a powerful packet sniffer and a common tool used by system administrators to solve network problems and investigate traffic. It can be used with Boolean expressions to capture only those packets you’re interested.
©2019 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License