Recommended Read: Examples on how to use PS COMMAND in Linux
Also Read: Top Linux commands to monitor NETWORK
Tcpdump command uses libpcap library to capture the Network Packets. We can check the network packets in real-time or we can also save it to a file, which we can check later. To use the tcpdump command, we should use it with root user or with a user with sudo privileges.
Here, we will be discussing how we can install & use TCPDUMP with examples. So let’s start,
Install TCPDUMP command in Linux
In most cases, we already should have tcpdump installed on most of the Linux distributions, but if it’s not then you can use one of the following commands to install it your system.
CentOS/RHEL 6 & 7
$ sudo yum install tcpdump
$ dnf install tcpdump
$ apt-get install tcpdump
Now let’s learn how we can use it to monitor our network traffic.
TCPDUMP command examples
Check network traffic from all network interface
To get the network packets from all network interfaces, run the following command,
$ tcpdump -i any
Check network traffic from only a single network interface
To get the network packets from a single interface, use
$ tcpdump -i enp0s3
Getting captured network packets to a file
To write all the captured packets to a file, use the ‘-w’ option,
$ tcpdump -i eth1 -w packets_file
Reading a network packets file
To read an already created, old tcpdump file, use the following command,
$ tcpdump -r packets_file
Check packets for a protocol or port number
To check all the packets used based on the protocol, run the following command
$ tcpdump ssh
To get packets for a single port ot for a range of ports, use
$ tcpdump port 80
$ tcpdump portrange 20-200
We can also use ‘src’ & ‘dst’ options to get packets for ports based on source & destination.
We can also combine two conditions (example mentioned below) with AND (and , && ), OR ( or. || ) & EXCEPT (not , ! ). This helps when we have analyzed network packets based on some conditions.
Getting more packets information with readable timestamps
To get more information regarding the packets along with the readable timestamp, use
$ tcpdump -ttttnnvvS
Capture network packets of a network range
To get the packets for a network, execute the following command from the terminal
$ tcpdump net 10.10.1.0/24
Check network packets for a single IP address
To capture network packets for a single IP address, whether source or destination or both, use the following command,
$ tcpdump host 10.10.1.12
To get packets based on source or destination of an IP address, use
$ tcpdump src 10.10.1.12
$ tcpdump dst 10.10.1.12
We can use ‘and’ or symbol ‘&&’ to combine two conditions or mote with tcpdump. An example would be,
$ tcpdump src 10.10.1.12 && port 22 -w ssh_packets
OR will check the command tcpdump -i eth0 src port not 22ainst one the mentioned conditions in the command, like
$ tcpdump src 10.10.1.12 or dst 10.10.1.30 && port 22 -w ssh_packets
$ tcpdump port 443 or 80 -w http_packets
EXCEPT will be used when we want to leave out something to fulfill a condition, like
$ tcpdump -i enp0s3 src port not 22
This will monitor all the traffic on eth0 but will not capture port 22.
These were only some examples that we can use with tcpdump command. There are plenty of other options that we can use with tcpdump command, & like with other Linux commands, we can refer to help to check all the options,
$ tcpdump –help
Please feel free to send in any queries or suggestions using the comment box below.
The post Install & learn to use TCPDUMP with examples appeared first on The Linux GURUS.