Capture and read packets in Linux CLI using TCPDUMP

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

In this post, i will try to show you how to use tcpdump command and capture required package.

• 'tcpdump' - capture the traffic passing through 'eth0' or management interface.
• 'tcpdump -i eth1' -  use minus (-) i option to capture packet passing through eth1
• 'tcpdump -e -i eth1' -  use minus (-) e option to capture packets passing through eth1 with ethernet header details.
• 'tcpdump -i eth1 tcp' - capture tcp packets only which are passing through eth1
• 'tcpdump -i eth1 tcp and src host 2.2.2.2' - capture tcp packets which is sent from 2.2.2.2
• 'tcpdump -i eth1 tcp or src host 2.2.2.2' - capture tcp packets or packets whose src ip is 2.2.2.2
• 'tcpdump -i eth1 tcp and greater 1000' - capture tcp packets whose length is greater then 1000B.
• tcpdump -n -i eth1 tcp : minus (-) n used to avoid DNS lookups. Don't convert host addresses to names.

Save tcpdump in a file- use minus (-) w option which can be read using WhireShark.

• 'tcpdump -i eth1 -w /dir/file.pcap tcp and host 10.102.174.42'

Read .pcap file using tcpdump

• 'tcpdump -e -r src9.pcap | grep http'

All available filters that you can apply to capture required packets -

• dst host 2.2.2.2  or dst host 9901::123 - destination host
• host 2.2.2.2  or host 9901::123 - has this IP
• ether src fa:38:3c:50:63:72
• ether dst, ether host
• src port 21
• dst port 80
• src portrange 10-90
• less 100
• vlan 5