tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command:
Installing tcpdump on Centos based machines:
yum install tcpdump
Usage:
1. Capture Packets from network Interface:
tcpdump -i eth0
-i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by
choosing the earliest match.
eth0 is Ethernet 0 network interface.
2. Capture packets by count:
tcpdump -c 5 -i eth0
-c Exit after receiving count packets.
3. tcpdump with ASCII format:
tcpdump -A -i eth0
-A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
4. Display All Network Interfaces:
tcpdump -D
-D Print the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possi-
bly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.
5. Capture and Save Packets in a File [then manually open file to investigate packets]:
tcpdump -w 0001.pcap -i eth0
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ‘‘-’’. See pcap-
savefile(5) for a description of the file format.
- 0001.pcap is file name .pcap is supported file format.
6. Reading Saved dump file:
tcpdump -r 0001.pcap
7. Capture IP address Packets:
tcpdump -n -i eth0
-n Don’t convert host addresses to names. This can be used to avoid DNS lookups. Please use -c with above command and grab few counts of IPs.
8. Capture only TCP Packets:
tcpdump -i eth0 tcp
9. Capture Packet from Specific Port:
tcpdump -i eth0 port 22
10. Capture Packets from source IP:
tcpdump -i eth0 src 192.168.0.2
- change IP address ava
11. Capture Packets from Destiantion IP:
tcpdump -i eth0 dst 50.116.66.139
- change IP address
More details: Use: man tcpdump or https://www.tcpdump.org/tcpdump_man.html
Once you can understand each flags with command, you can write one-liners to captcure network packets on a server.
Example 1: Capture 10k packets for port 80 & find the IP with largest packet sender.
tcpdump -n -c 10000 -i eth0 port 80 | awk '{print $5}' | awk -F ':' '{print $1}' | cut -d "." -f1-4 | sorted
-n capturing IPs
-c number of packet records
-i network interface
port 80 - port
capturing 5th column which is source IP
awk & cut to format IP address & sorting
Using TCPDUMP to collect apache header packets (packet size lower than 10KB), this can help you to capture live GET/POST packet dta request:
tcpdump -A -s 10240 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'
We are capturing (-s 10240) 10K packets from port 80 with 4 octets of IP addresses & capturing HTTP headers from packets since we have running tcpdump command with (-A) ASCII mode. Read more at: https://www.wains.be/pub/networking/tcpdump_advanced_filters.txt
