Linux tcpdump
tcpdump is a powerful command-line utility used for capturing and analyzing network traffic on a Linux system. It allows users to capture, display, and analyze packets transmitted and received over a network. Administrators and security professionals commonly use tcpdump for network traffic debugging and to examine network activity in detail.
To start using tcpdump, you can run the command without any options to capture all packets on the default network interface. However, capturing all traffic can generate an overwhelming amount of data, so it’s common to specify an interface with the -i option. For example, sudo tcpdump -i eth0 starts capturing all packets on the eth0 interface.
tcpdump supports extensive filtering capabilities, allowing you to capture only the traffic of interest. For instance, to capture only the traffic on TCP port 80, you can use sudo tcpdump -i eth0 tcp port 80.
You can also save captured packets into a file for later analysis. The command sudo tcpdump -i eth0 -w captured_packets.pcap captures packets and saves them to a file named captured_packets.pcap.
To read captured packets from a file, you can use sudo tcpdump -r captured_packets.pcap.
tcpdump can also be used to filter packets based on source and destination IP addresses and ports. For example, to capture packets related to a specific host, you can use sudo tcpdump host 192.168.1.1.
Additionally, tcpdump can filter packets based on various flags, such as SYN, ACK, RST, and PUSH. For instance, to isolate packets with both the SYN and ACK flags set, you can use tcpdump 'tcp[13] & 4!=0'.
tcpdump is available on most Linux distributions and macOS, and it is often pre-installed. If it is not present on your system, you can install it using your preferred package manager. For Red Hat-based distributions, you can use dnf install tcpdump, and for Debian-based distributions, you can use apt install tcpdump.
tcpdump outputs information for each captured packet on a new line, including a timestamp, source and destination IP addresses and ports, flags, sequence numbers, acknowledgment numbers, window size, options, and data length.