How to Capture Network Traffic using Tcpdump

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. View Plans

Introduction

Tcpdump is one of the most widely used and powerful command line utilities out there that can be used to capture TCP/IP packets transferred over a network. Tcpdump provides various options to save the packet in data file. Tcpdump runs on all Unix-based operating systems and uses libpcap library to capture network traffic.

In this tutorial, we will explain some practical examples on how to use the Tcpdump command to capture network traffic.

Requirements

Ubuntu-16.04 desktop or server installed on your system.

#Install Tcpdump

Installing tcpdump on an Ubuntu based system is very easy. You can install it by just running the following command:

sudo apt-get install tcpdump

Display Available Interfaces

You can list out the number of available network interface on the system by running the following command:

sudo tcpdump -D

Output:

1.wlan0 2.lxcbr0 3.vethFY0XH3 4.docker0 5.bluetooth0 (Bluetooth adapter number 0) 6.br-7b9ff245c3a0 7.any (Pseudo-device that captures on all interfaces) 8.lo

Capture Packets from Specific Specific Interface

You can use tcpdump with -i switch to capture packets from specific network interface.

`sudo tcpdump -i wlan0

Output:

15:40:50.747090 IP Vyom-PC.43342 > bom07s01-in-f134.1e100.net.https: Flags [.], ack 1282899678, win 258, options [nop,nop,TS val 332247 ecr 1987068517], length 0 15:40:50.993764 IP bom07s01-in-f134.1e100.net.https > Vyom-PC.43342: Flags [.], ack 1, win 392, options [nop,nop,TS val 1987113703 ecr 320979], length 0 15:40:51.198114 IP Vyom-PC.20061 > 192.168.43.1.domain: 46347+ PTR? 134.199.58.216.in-addr.arpa. (45) 15:40:51.201031 IP 192.168.43.1.domain > Vyom-PC.20061: 46347 2/0/0 PTR bom07s01-in-f134.1e100.net., PTR bom07s01-in-f6.1e100.net. (123) 15:40:51.202267 IP Vyom-PC.2167 > 192.168.43.1.domain: 61665+ PTR? 4.43.168.192.in-addr.arpa. (43) 15:40:51.204859 IP 192.168.43.1.domain > Vyom-PC.2167: 61665* 1/0/0 PTR Vyom-PC. (64) 15:40:52.207794 IP Vyom-PC.20690 > 192.168.43.1.domain: 64790+ PTR? 1.43.168.192.in-addr.arpa. (43) 15:40:55.759056 ARP, Request who-has 192.168.43.1 tell Vyom-PC, length 28 15:40:55.764676 ARP, Reply 192.168.43.1 is-at 24:da:9b:80:51:7d (oui Unknown), length 28 15:40:57.211338 IP Vyom-PC.20690 > 192.168.43.1.domain: 64790+ PTR? 1.43.168.192.in-addr.arpa. (43) 15:41:00.959067 IP Vyom-PC.43343 > bom07s01-in-f134.1e100.net.https: Flags [.], ack 1089874911, win 229, options [nop,nop,TS val 334800 ecr 1988976757], length 0 15:41:01.223447 IP bom07s01-in-f134.1e100.net.https > Vyom-PC.43343: Flags [R], seq 1089874911, win 0, length 0 15:41:01.780206 IP Vyom-PC.28561 > 192.168.43.1.domain: 24419+ A? staticxx.facebook.com. (39) 15:41:01.794109 IP Vyom-PC.4228 > 192.168.43.1.domain: 63237+ A? platform.twitter.com. (38) 15:41:02.370899 IP 192.168.43.1.domain > Vyom-PC.28561: 24419 2/0/0 CNAME scontent.xx.fbcdn.net., A 31.13.93.7 (90) 15:41:02.431873 IP 192.168.43.1.domain > Vyom-PC.4228: 63237 2/0/0 CNAME platform-eb.twitter.com., A 199.96.57.6 (80) 15:41:03.831458 IP Vyom-PC.63206 > 192.168.43.1.domain: 40927+ A? www.facebook.com. (34) 15:41:03.882898 IP 192.168.43.1.domain > Vyom-PC.63206: 40927 2/0/0 CNAME star-mini.c10r.facebook.com., A 31.13.93.36 (79)

Capture a Specific Number of Packets

When you run tcpdump command it will capture packets continuously, until you press the cancel button. But you can also capture specific number of packets using -c option.

For example, to capture 10 packets on interface wlan0, run the following command:

sudo tcpdump -c 10 -i wlan0

Output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:45:40.540228 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [.], ack 2464475252, win 341, options [nop,nop,TS val 909043884 ecr 404556], length 0 15:45:40.540426 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [P.], seq 0:148, ack 1, win 341, options [nop,nop,TS val 909043884 ecr 404556], length 148 15:45:40.540471 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [.], ack 148, win 237, options [nop,nop,TS val 404695 ecr 909043884], length 0 15:45:40.540805 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 1:44, ack 148, win 237, options [nop,nop,TS val 404695 ecr 909043884], length 43 15:45:40.557496 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 44:89, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 45 15:45:40.557570 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 89:131, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 42 15:45:40.557610 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 131:165, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 34 15:45:40.557862 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 165:393, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 228 15:45:40.625978 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [P.], seq 148:202, ack 44, win 341, options [nop,nop,TS val 909043958 ecr 404695], length 54 15:45:40.626154 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [P.], seq 202:236, ack 44, win 341, options [nop,nop,TS val 909043958 ecr 404695], length 34 10 packets captured 28 packets received by filter 0 packets dropped by kernel

Display Captured Packets in ASCII

You can print captured packets using -A switch by running the following command:

sudo tcpdump -A

Output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:49:48.639241 IP Vyom-PC.36468 > bom07s01-in-f142.1e100.net.https: Flags [.], ack 1337692423, win 262, options [nop,nop,TS val 466720 ecr 1996389772], length 0 E..4J.@.@.d...+..:...t..T ..O.............. ... v.}. 15:49:48.696915 IP bom07s01-in-f142.1e100.net.https > Vyom-PC.36468: Flags [.], ack 1, win 373, options [nop,nop,TS val 1996434895 ecr 410184], length 0 E..4.y..8....:....+....tO...T .....u*...... v.-...BH 15:49:49.123878 IP Vyom-PC.52756 > 192.168.43.1.domain: 51923+ PTR? 142.199.58.216.in-addr.arpa. (45) E..I. @.@.HD..+...+....5.5+..............142.199.58.216.in-addr.arpa..... 15:49:49.126967 IP 192.168.43.1.domain > Vyom-PC.52756: 51923 2/0/0 PTR bom07s01-in-f142.1e100.net., PTR bom07s01-in-f14.1e100.net. (124) E.....@.@.b...+...+..5....pM.............142.199.58.216.in-addr.arpa.............z>...bom07s01-in-f142.1e100.net.........z>...bom07s01-in-f14.1e100.net.

Save Captured Packets in a File

Tcpdump provides a feature to capture and save packet in .pcap file format.

You can do this by using tcpdump command with -w option:

sudo tcpdump -w packet.pcap -i wlan0

Output:

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes 47 packets captured 47 packets received by filter 0 packets dropped by kernel

Read Captured Packets File

You can also read captured packets from the file packet.pcap using -r option.

sudo tcpdump -r packet.pcap

Output:

reading from file packet.pcap, link-type EN10MB (Ethernet) 15:55:41.711228 IP Vyom-PC.54480 > unknown.telstraglobal.net.https: Flags [.], ack 1499061941, win 35252, length 0 15:55:42.352855 IP unknown.telstraglobal.net.https > Vyom-PC.54480: Flags [.], ack 1, win 13168, length 0 15:55:46.719096 ARP, Request who-has 192.168.43.1 tell Vyom-PC, length 28 15:55:46.724723 ARP, Reply 192.168.43.1 is-at 24:da:9b:80:51:7d (oui Unknown), length 28 15:55:46.828946 IP Vyom-PC.61667 > 192.168.43.1.domain: 2377+ A? stats-public.grammarly.io. (43) 15:55:47.343824 IP 192.168.43.1.domain > Vyom-PC.61667: 2377 2/0/0 CNAME ec2-54-198-236-163.compute-1.amazonaws.com., A 54.198.236.163 (115) 15:55:47.344520 IP Vyom-PC.51246 > ec2-54-198-236-163.compute-1.amazonaws.com.https: Flags [S], seq 139582281, win 29200, options [mss 1460,sackOK,TS val 556396 ecr 0,nop,wscale 7], length 0 15:55:47.581630 IP Vyom-PC.51247 > ec2-54-198-236-163.compute-1.amazonaws.com.https: Flags [S], seq 4019141426, win 29200, options [mss 1460,sackOK,TS val 556455 ecr 0,nop,wscale 7], length 0

Capture Packet from Specific Port

To capture packets from specific port, run the following command:

sudo tcpdump -i wlan0 port 22

Output:

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:12:14.271113 IP (tos 0x0, ttl 64, id 4416, offset 0, flags [DF], proto TCP (6), length 52) Vyom-PC.45256 > bom07s01-in-f2.1e100.net.https: Flags [.], cksum 0x66ee (correct), ack 704958143, win 262, options [nop,nop,TS val 803128 ecr 1996234086], length 0 16:12:14.468463 IP (tos 0x0, ttl 64, id 7031, offset 0, flags [DF], proto UDP (17), length 73) Vyom-PC.64023 > 192.168.43.1.domain: 12519+ PTR? 130.199.58.216.in-addr.arpa. (45) 16:12:14.494358 IP (tos 0x0, ttl 56, id 42504, offset 0, flags [none], proto TCP (6), length 52) bom07s01-in-f2.1e100.net.https > Vyom-PC.45256: Flags [.], cksum 0x3920 (correct), ack 1, win 635, options [nop,nop,TS val 1996279324 ecr 769242], length 0 16:12:14.621544 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 151) 192.168.43.1.domain > Vyom-PC.64023: 12519 2/0/0 130.199.58.216.in-addr.arpa. PTR bom07s01-in-f2.1e100.net., 130.199.58.216.in-addr.arpa. PTR bom07s01-in-f130.1e100.net. (123) 16:12:14.622072 IP (tos 0x0, ttl 64, id 7032, offset 0, flags [DF], proto UDP (17), length 71) Vyom-PC.40692 > 192.168.43.1.domain: 36419+ PTR? 4.43.168.192.in-addr.arpa. (43) 16:12:14.622698 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 92) 192.168.43.1.domain > Vyom-PC.40692: 36419* 1/0/0 4.43.168.192.in-addr.arpa. PTR Vyom-PC. (64) 16:12:15.624388 IP (tos 0x0, ttl 64, id 7033, offset 0, flags [DF], proto UDP (17), length 71) Vyom-PC.6105 > 192.168.43.1.domain: 56925+ PTR? 1.43.168.192.in-addr.arpa. (43)

Capture only TCP Packets

To capture only TCp packets, run the following command:

sudo tcpdump -i wlan0 tcp

Output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:16:33.119464 IP Vyom-PC.38928 > ec2-54-90-148-22.compute-1.amazonaws.com.https: Flags [.], ack 4095000419, win 229, options [nop,nop,TS val 867840 ecr 2784413801], length 0 16:16:34.245441 IP ec2-54-90-148-22.compute-1.amazonaws.com.https > Vyom-PC.38928: Flags [.], ack 1, win 210, options [nop,nop,TS val 2784425261 ecr 856589], length 0 16:16:35.359096 IP Vyom-PC.36521 > bom07s01-in-f142.1e100.net.https: Flags [.], ack 1329362084, win 229, options [nop,nop,TS val 868400 ecr 1995067644], length 0 16:16:35.634033 IP bom07s01-in-f142.1e100.net.https > Vyom-PC.36521: Flags [R], seq 1329362084, win 0, length 0 16:16:42.810310 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [.], seq 191577511:191578869, ack 3383719639, win 254, options [nop,nop,TS val 870262 ecr 1609825056], length 1358 16:16:42.810465 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 1358:1367, ack 1, win 254, options [nop,nop,TS val 870262 ecr 1609825056], length 9 16:16:42.810623 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 1367:1405, ack 1, win 254, options [nop,nop,TS val 870262 ecr 1609825056], length 38 16:16:42.811603 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 1405:2213, ack 1, win 254, options [nop,nop,TS val 870263 ecr 1609825056], length 808 16:16:42.820642 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [.], seq 2213:3571, ack 1, win 254, options [nop,nop,TS val 870265 ecr 1609825056], length 1358 16:16:42.820700 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 3571:3602, ack 1, win 254, options [nop,nop,TS val 870265 ecr 1609825056], length 31 16:16:42.820858 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 3602:4247, ack 1, win 254, options [nop,nop,TS val 870265 ecr 1609825056], length 645

Capture packets with IP Address

To capture packets with IP address use tcpdump command with -n option:

sudo tcpdump -n -i wlan0

Output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:19:39.778704 IP 192.168.43.4.64105 > 192.168.43.1.53: 28956+ A? staticxx.facebook.com. (39) 16:19:40.127052 IP 192.168.43.4.55027 > 104.65.140.27.80: Flags [.], ack 2417585591, win 244, options [nop,nop,TS val 914592 ecr 3700427000], length 0 16:19:40.138398 IP 192.168.43.1.53 > 192.168.43.4.64105: 28956 2/0/0 CNAME scontent.xx.fbcdn.net., A 31.13.93.7 (90) 16:19:40.437891 IP 104.65.140.27.80 > 192.168.43.4.55027: Flags [.], ack 1, win 1053, options [nop,nop,TS val 3700472510 ecr 903304], length 0 16:19:41.247845 IP 216.58.199.142.443 > 192.168.43.4.36520: Flags [P.], seq 2060299420:2060299475, ack 556233794, win 350, options [nop,nop,TS val 1995298115 ecr 854767], length 55 16:19:41.248173 IP 192.168.43.4.36520 > 216.58.199.142.443: Flags [F.], seq 1, ack 55, win 339, options [nop,nop,TS val 914872 ecr 1995298115], length 0 16:19:41.257875 IP 216.58.199.142.443 > 192.168.43.4.36520: Flags [F.], seq 55, ack 1, win 350, options [nop,nop,TS val 1995298115 ecr 854767], length 0 16:19:41.257942 IP 192.168.43.4.36520 > 216.58.199.142.443: Flags [.], ack 56, win 339, options [nop,nop,TS val 914874 ecr 1995298115], length 0 16:19:41.707916 IP 216.58.199.142.443 > 192.168.43.4.36520: Flags [F.], seq 55, ack 1, win 350, options [nop,nop,TS val 1995298671 ecr 854767], length 0 16:19:41.707976 IP 192.168.43.4.36520 > 216.58.199.142.443: Flags [.], ack 56, win 339, options [nop,nop,TS val 914987 ecr 1995298671,nop,nop,sack 1 {55:56}], length 0 10 packets captured 10 packets received by filter 0 packets dropped by kernel

Conclusion

I hope now you can easily explore tcpdump command in depth. There are lots of options available with tcpdump, you can use any of those option as per your requirement.