Capture and read packets in Linux CLI using TCPDUMP

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

In this post, i will try to show you how to use tcpdump command and capture required package.

• 'tcpdump' - capture the traffic passing through 'eth0' or management interface.
• 'tcpdump -i eth1' -  use minus (-) i option to capture packet passing through eth1
• 'tcpdump -e -i eth1' -  use minus (-) e option to capture packets passing through eth1 with ethernet header details.
• 'tcpdump -i eth1 tcp' - capture tcp packets only which are passing through eth1
• 'tcpdump -i eth1 tcp and src host 2.2.2.2' - capture tcp packets which is sent from 2.2.2.2
• 'tcpdump -i eth1 tcp or src host 2.2.2.2' - capture tcp packets or packets whose src ip is 2.2.2.2
• 'tcpdump -i eth1 tcp and greater 1000' - capture tcp packets whose length is greater then 1000B.
• tcpdump -n -i eth1 tcp : minus (-) n used to avoid DNS lookups. Don't convert host addresses to names.

Save tcpdump in a file- use minus (-) w option which can be read using WhireShark.

• 'tcpdump -i eth1 -w /dir/file.pcap tcp and host 10.102.174.42'

Read .pcap file using tcpdump

• 'tcpdump -e -r src9.pcap | grep http'

All available filters that you can apply to capture required packets -

• dst host 2.2.2.2  or dst host 9901::123 - destination host
• host 2.2.2.2  or host 9901::123 - has this IP
• ether src fa:38:3c:50:63:72
• ether dst, ether host
• src port 21
• dst port 80
• src portrange 10-90
• less 100
• vlan 5

Vi Editor basic user guide

vi is a screen-oriented text editor originally created for the Unix operating system.
Here are the few basic and necessary shortcuts to use vi editor effectively-

• '0'(zero) -move cursor to start of current line
• ':n' -move cursor to line n
• ':$' -move cursor to last line in file
• 'x' -delete single character under cursor
• 'dd' -delete entire current line
• 'dw' -delete the single word beginning with character under cursor
• 'yy' -copy (yank, cut) the current line into the buffer
• 'Nyy' -copy (yank, cut) the next N lines, including the current line, into the buffer
• 'p' -put (paste) the line(s) in the buffer into the text after the current line
• '/string' -search forward for occurrence of string in text
• '?string' -search backward 
• 'n'  -move to next occurrence of search string
• 'N'  -search for previous occurrence 
• 'u' -Undo last change
• 'ctrl + r'  - Redo 
• ':s/OLD/NEW/g'  -Replace OLD with NEW Globally (all) on current line
• ':%s/OLD/NEW/g'   -Replace OLD with NEW Every occurrence in file

Some Linux cli tips that you should know

In this post I'm giving few Linux CLI tips/shortcuts which i found very helpful and increase your speed while you are working on Linux using CLI. These tricks are very useful for those who are new to Linux.

1. 'CTL+L' - Clear screen. (you can use 'clear' also to clear the screen).
2. 'CTL+R' - Search recent commands from History.
3. 'CTL+A' - Take the cursor to the start of current command.
4. 'CTL+E' - Take the cursor to the end of currnet command.
5. 'CTL+W' - To erase one word in current command.
6. 'CTL+U' - To erase whole command.
7. 'CTL+Y' - To type the above command which was erased by 'CTL+U'.
8. 'CTL+D' - Exit or logout current session.
9. 'screen' - run multiple session inside a single session. 'CTL+A' then 'N' to go to next session and 'CTL+A' then 'P' to go to previous session.
10. 'CTL+C' - To halt current command
11. 'CTL+Z' - Stop current command
12. '!!' - Repeat previous command