TCP DUMP – tcpdump

Wikipedia: “tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.”

Common uses: “Tcpdump analyzes network behavior, performance and applications that generate or receive network traffic. It can also be used for analyzing the network infrastructure itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.”

A few of the mostly used options:

  • -i any : Listen on all interfaces just to see if you’re seeing any traffic.
  • -n : Don’t resolve hostnames.
  • -nn : Don’t resolve hostnames or port names.
  • -X : Show the packet’s contents in both hex and ASCII.
  • -XX : Same as -X, but also shows the ethernet header.
  • -v, -vv, -vvv : Increase the amount of packet information you get back.
  • -c : Only get x number of packets and then stop.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.
  • -s : Set the snaplength, i.e. the amount of data that is being captured in bytes
  • -c : Only capture x number of packets, e.g. ‘tcpdump -c 3

I’m using my MAC to learn this command, so depending if you are connected wirelessly or by ethernet (direct connect), you will need to put in the correct interface.

View your interfaces.

$ ifconfig

Wireless Interface (depending on your interface number – look for the IP address):

# tcpdump -i en1
# tcpdump -i en2

Ethernet Interface:

# tcpdump -i en0

Basic usage.

# tcpdump -i interface
# tcpdump -nS
# tcpdump -nnvvS

Now lets port this information into a file called DumpFile01.pcap on the Desktop.

# tcpdump -i en0 -w ~/Desktop/DumpFile01.pcap

Reading the file. What’s the difference between .cap and .cap?

# -r ~/Desktop/DumpFile01.pcap

The -nn tells tcpdump not to resolve DNS on IP and Ports, where r is read.

# tcpdump -nnr ~/Desktop/DumpFile01.pcap

Adding -tttt to makes the timestamp appears more readable format.

# tcpdump -ttttnnr ~/Desktop/DumpFile01.pcap

Lets get a tcpdump on port 80.

# tcpdump -w /Users/Tommy/Desktop/dump01.pcap -i en0 port 80
# tcpdump -w /Users/Tommy/Desktop/dump01.pcap -i en0 tcp port 80
# tcpdump -w /Users/Tommy/Desktop/dump01.pcap -i en0 udp port 80

Capture packets based off of the Source and Destination.

# tcpdump src XXX.XXX.XXX.XXX
# tcpdump dst XXX.XXX.XXX.XXX
# tcpdump dst XXX.XXX.XXX.XXX and port XX

Specify a Port range.

# tcpdump tcp portrange XX-XX

By Tommy Elmesewdy

DevOps Engineer