tcpdump is a useful network packet tool used for capturing and analyzing network traffic. It allows you to inspect packets in real-time as they pass through your network interface, and filter them based on various criteria such as source or destination IP address, protocol, port number, and packet content. With tcpdump, you can troubleshoot network problems, detect network attacks, and monitor network performance.
Basic Syntax
tcpdump [options] [expression]
Here, options specifies various options for capturing and displaying packets, and expression specifies the filter criteria for capturing packets. If no expression is specified, tcpdump captures all packets on the specified network interface.
Commonly Used Options
-
-i interface: This specifies the network interface to capture packets from. -
-n: This displays IP addresses instead of domain names. -
-c count: This specifies the number of packets to capture before exiting. -
-s size: This specifies the maximum size of the captured packets. -
-v: This displays more detailed information about each captured packet. -
-X: This displays the full packet data in both ASCII and hexadecimal format. -
-w file: This writes the captured packets to a file instead of displaying them on the screen. -
-r file: This reads packets from a file instead of capturing them from a network interface.
Commonly Used Expressions
-
host address: This captures packets with the specified IP address. -
src address: This captures packets with the specified source IP address. -
dst address: This captures packets with the specified destination IP address. -
port number: This captures packets with the specified port number. -
tcp: This captures only TCP packets. -
udp: This captures only UDP packets. -
icmp: This captures only ICMP packets. -
icmp6: This captures only ICMPv6 packets. -
arp: This captures only ARP packets. -
not expression: This captures packets that do not match the specified expression.
Useful Examples
-
tcpdump: This captures and displays all packets on the default network interface. -
tcpdump -i eth0: This captures and displays all packets on the eth0 network interface. -
tcpdump -n host 192.168.1.100: This captures and displays all packets with the IP address 192.168.1.100. -
tcpdump -n src 192.168.1.100: This captures and displays all packets with the source IP address 192.168.1.100. -
tcpdump -n dst 192.168.1.100: This captures and displays all packets with the destination IP address 192.168.1.100. -
tcpdump -n port 80: This captures and displays all packets with the port number 80. -
tcpdump -n tcp: This captures and displays all TCP packets. -
tcpdump -n udp: This captures and displays all UDP packets. -
tcpdump -n icmp: This captures and displays all ICMP packets. -
tcpdump -n arp: This captures and displays all ARP packets. -
tcpdump -n not port 22: This captures and displays all packets except those with the port number 22.
Leave a Reply