12 Tcpdump Commands - A Network Sniffer Tool

CENTOS / FEDORA / LINUX COMMANDS /
I TecMint :
LINUX DISTROS / REDHAT

21
BEGINNER'S GUIDE FOR LINUX

Start learning Linux in minutes
12 Tcpdump
Commands A
Network Sniffer Tool
by Narad Shrestha | Published: August 20, 2012 |
Last Updated: September 13, 2012
Adsby Google
WIFISNIFFER
PACKETSNIFFER
Download Your Free eBooks NOW - 10 Free

Linux eBooks for Administrators | 4 Free Shell
Scripting eBooks
In our previous article, we
Vi/Vim Editor BEGINNER'S GUIDE

Learn vi/vim as a Full Text Editor
Advertise Here
have seen 20 Netstat

Commands to monitor or
mange Linux network. This
is our another ongoing
series of packet sniffer tool
called tcpdump. Here, we
are going to show you how
to install tcpdump and then
we discuss and cover some
useful commands with their
practical examples.
Linux Foundation Certication

Exam Study Guide to LFCS and LFCE
Linux tcpdump command examples
tcpdump is a most powerful

and widely used command-
line packets sniffer or

package analyzer tool which
is used to capture or lter
TCP/IP packets that
received or transferred over
a network on a specic
interface. It is available
under most of the
Linux/Unix based operating
systems. tcpdump also
CAN logger
with SD card
gives us a option to save

captured packets in a le for
future analysis. It saves the
le in a pcap format, that
can be viewed by tcpdump
command or a open source
GUI based tool called
Wireshark (Network
OEM cards with serial

and USB
Data logger for bus CAN
with USB, serial RS232
interface and microSD
card
Protocol Analyzier) that

reads tcpdump pcap format
les.
ipses.com/eng/Products
How to Install
tcpdump in Linux
Many of Linux distributions

already shipped with
tcpdump tool, if in case you
dont have it on systems,
you can install it using
following Yum command.
How to Add Linux Host to Nagios Monitoring

Server Using NRPE Plugin
Nagios 4.2.0 Released Install on RHEL/CentOS
7.x/6.x/5.x and Fedora 24-19
Install Cacti (Network Monitoring) on
RHEL/CentOS 7.x/6.x/5.x and Fedora 24-12
#yuminstalltcpdump
Google Chrome 55 Released Install on

RHEL/CentOS 7/6 and Fedora 25-20
Once tcpdump tool is

installed on systems, you
can continue to browse
following commands with
their examples.
Ebook: Introducing the RHCSA and RHCE Exam

Preparation Guide
Install Latest Apache 2.4, MySQL 5.5/MariaDB
10.1 and PHP 5.5/5.6 on RHEL/CentOS 7/6 &
Fedora 24-18
1. Capture Packets
from Specic
Interface
Software ERP Gratis
Aplicacin para Administracin de su Empresa. 100% Libre!

bitrix24.es/Software-ERP
The command screen will

scroll up until you interrupt
and when we execute
tcpdump command it will
captures from all the
interfaces, however with -i
switch only capture from
desire interface.
Linux System Administrator Bundle
with 7-Courses (96% off)
#tcpdumpieth0
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
11:33:31.976358IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq3500
11:33:31.976603IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack196,
Ending In: 3 days
11:33:31.977243ARP,Requestwhohastecmint.comtell172.16.25.126,length28
11:33:31.977359ARP,Replytecmint.comisat00:14:5e:67:26:1d(ouiUnknown),length46
11:33:31.977367IP172.16.25.126.54807>tecmint.com:4240+PTR?125.25.16.172.inaddr.ar
CentOS & Red Hat Certied System
11:33:31.977599IPtecmint.com>172.16.25.126.54807:4240NXDomain0/1/0(121)
Administrator Course (90% off)
11:33:31.977742IP172.16.25.126.44519>tecmint.com:40988+PTR?126.25.16.172.inaddr.a
11:33:32.028747IP172.16.20.33.netbiosns>172.16.31.255.netbiosns:NBTUDPPACKET(137
11:33:32.156576ARP,Requestwhohas172.16.16.37telloldoraclehp1.midcorp.midday.com,
Ending In: 4 days
11:33:32.348738IPtecmint.com>172.16.25.126.44519:40988NXDomain0/1/0(121)
Add to Cart - $69
Add to Cart - $19
2. Capture Only N
Number of Packets
When you run tcpdump
command it will capture all
DOWNLOAD FREE LINUX EBOOKS

Complete Linux Command Line Cheat Sheet
The GNU/Linux Advanced Administration Guide
Securing & Optimizing Linux Servers
the packets for specied
Linux Patch Management: Keeping Linux Up To
interface, until you Hit
Date
cancel button. But using -c
Introduction to Linux A Hands on Guide
option, you can capture

specied number of
packets. The below example
will only capture 6 packets.
Understanding the Linux Virtual Memory

Manager
Getting Started with Ubuntu 16.04
A Newbies Getting Started Guide to Linux
Linux from Scratch Create Your Own Linux OS
Linux Shell Scripting Cookbook, Second Edition
Securing & Optimizing Linux: The Hacking
#tcpdumpc5ieth0
Solution
User Mode Linux Understanding and
Administration
11:40:20.282244ARP,Requestwhohastecmint.comtell172.16.25.126,length28
11:40:20.282360ARP,Replytecmint.comisat00:14:5e:67:26:1d(ouiUnknown),length46

11:40:20.282369IP172.16.25.126.53216>tecmint.com.domain:49504+PTR?125.25.16.172.in
11:40:20.332494IPtecmint.com.netbiosssn>172.16.26.17.nimaux:Flags[P.],seq3058424
6packetscaptured
Never Miss Any Linux Tutorials,
23packetsreceivedbyfilter
Guides, Tips and Free eBooks
0packetsdroppedbykernel
Join Our Community Of 150,000+ Linux Lovers

and get a weekly newsletter in your inbox
3. Print Captured
Packets in ASCII
The below tcpdump
command with option -A
displays the package in
ASCII format. It is a
character-encoding scheme
format.
YES! SIGN ME UP
#tcpdumpAieth0
09:31:31.347508IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq332937234
M.r0...vUP.E.X.......~.%..>N..oFk.........KQ..)Eq.d.,....r^l......m\.oyE........g~m..Xy.
09:31:31.347760IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[.],ack196,win6
M....vU.r1~P.._..........
^C09:31:31.349560IP192.168.0.2.46393>b.resolvers.Level3.net.domain:11148+PTR?1.0.1
E..F..@.@............9.5.2.f+............1.0.168.192.inaddr.arpa.....
3packetscaptured
4. Display Available
Interfaces
To list number of available
interfaces on the system,
run the following command
with -D option.
#tcpdumpD
1.eth0
2.eth1
3.usbmon1(USBbusnumber1)
8.any(Pseudodevicethatcapturesonallinterfaces)
9.lo
5. Display Captured
Packets in HEX and
ASCII
The following command
with option -XX capture the
data of each packet,
including its link level

header in HEX and ASCII
format.
#tcpdumpXXieth0
0x0000:b8ac6f2e57b300016c99146808004510..o.W...l..h..E.
0x0010:00ec878340004006275dac10197eac10....@.@.']...~..
0x0020:197d00161129d12aaf51d9b6d5ee5018.}...).*.Q....P.
0x0030:49488bfa00000e12ea4d22d167c0f123IH.......M".g..#
0x0040:90138f68aa7029f32efcc51256604fe8...h.p).....V`O.
0x0050:590ad631f939dd06e36a69edcac295b6Y..1.9...ji.....
0x0060:f8bab42a344b8e56a5c4b3a2ed82c3a1...*4K.V........
0x0070:80c8798011ac9bd75b0118d581804536..y.....[.....E6
0x0080:30fd4f6d4190f66f2e24e877ed238eb00.OmA..o.$.w.#..
0x0090:5a1df3ec4be4e0fb85537c8517d9866fZ...K....S|....o
0x00a0:c2790d9c8f9d445b7b0181eb1b637f12.y....D[{....c..
JoinOver300K+LinuxUsers
0x00b0:71b3135752c7cf0095c6c9f663b1ca51q..WR.......c..Q
0x00c0:0ac6456e062038e610cb6139fb2aa756..En..8...a9.*.V
0x00d0:37d6c5f3f5f3d8e83316d14fd7abfd937.......3..O....
0x00e0:113761c16a5cb4d1ddda380af782d983.7a.j\....8.....
0x00f0:62ffa5a9bb394f80668ab....9O.f.
SHARE
11:51:18.974759IP172.16.25.126.60952>mddc01.midcorp.midday.com.domain:14620+PTR?
202,035
9,267
38,621
0x0000:00145e67261d00016c99146808004500..^g&...l..h..E.
0x0010:00485a83400040115e25ac10197eac10.HZ.@.@.^%...~..
+
Are you subscribed?
0x0020:105eee18003500348242391c01000001.^...5.4.B9.....
0x0030:00000000000003313235023235023136.......125.25.16
20 Command Line Tools to Monitor Linux Performance
0x0040:0331373207696e2d6164647204617270.172.inaddr.arp
0x0050:6100000c0001a.....
6. Capture and Save

Packets in a File
As we said, that tcpdump
has a feature to capture and
save the le in a .pcap
format, to do this just
execute command with -w
option.
150
23
#tcpdumpw0001.pcapieth0
tcpdump:listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
4packetscaptured
7. Read Captured
Packets File
To read and analyze
captured packet 0001.pcap
le use the command with -r
option, as shown below.
#tcpdumpr0001.pcap
readingfromfile0001.pcap,linktypeEN10MB(Ethernet)
09:59:36.935309IP192.168.0.1.netbiosdgm>192.168.0.255.netbiosdgm:NBTUDPPACKET(13
202,035
9,267
38,621
09:59:37.528731IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[P.],seq1:53,ack
Are you subscribed?
8. Capture IP
address Packets
To capture packets for a
specic interface, run the
following command with
option -n.
#tcpdumpnieth0
12:07:03.953311IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq196:
9. Capture only TCP

Packets.
To capture packets based
on TCP port, run the
following command with
option tcp.
#tcpdumpieth0tcp
202,035
9,267
38,621
Are you subscribed?
^C12:10:36.223461IPmidpay.midcorp.midday.com.netbiosssn>172.16.22.183.recipe:Flag
10. Capture Packet

from Specic Port
Lets say you want to
capture packets for specic
port 22, execute the below
command by specifying port
number 22 as shown below.
#tcpdumpieth0port22
10:37:49.379298IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq196:616,
10:37:49.381080IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq616:780,
11. Capture
Packets from
source IP
To capture packets from
source IP, say you want to
capture packets for
192.168.0.2, use the
command as follows.
#tcpdumpieth0src192.168.0.2
202,035
9,267
38,621
Are you subscribed?
10:49:15.748554IP192.168.0.2.56200>b.resolvers.Level3.net.domain:11289+PTR?1.0.168
10:49:15.912165IP192.168.0.2.56234>b.resolvers.Level3.net.domain:53106+PTR?2.0.168
10:49:16.074720IP192.168.0.2.33961>b.resolvers.Level3.net.domain:38447+PTR?2.2.2.4
12. Capture
Packets from
destination IP
To capture packets from
destination IP, say you want
to capture packets for
50.116.66.139, use the
command as follows.
#tcpdumpieth0dst50.116.66.139
10:55:01.798591IP192.168.0.2.59896>50.116.66.139.http:Flags[.],ack2480401451,win
10:55:05.527476IP192.168.0.2.59894>50.116.66.139.http:Flags[F.],seq2521556029,ac
10:55:05.626027IP192.168.0.2.59894>50.116.66.139.http:Flags[.],ack2,win245,opt
This article may help you to

explore tcpdump command
in depth and also to capture
and analysis packets in
future. There are number of
options available, you can
use the options as per your
requirement. Please share if
you nd this article useful
through our comment box.
202,035
9,267
38,621
Are you subscribed?
If You Appreciate
What We Do
Here On
TecMint, You Should
Consider:
1. Stay Connected to: Twitter |
Facebook | Google Plus
2. Subscribe to our email
updates: Sign Up Now
3. Use our Linode referral link
if you plan to buy VPS (it
starts at only $10/month).
4. Support us via PayPal

donate - Make a Donation
5. Support us by purchasing
our premium books in PDF
format.
6. Support us by taking our
online Linux courses
We are thankful for your never
ending support.
Narad
View all Posts
Shrestha
He has over 10 years of rich IT

202,035
9,267
38,621
experience which includes
Are you subscribed?
various Linux Distros, FOSS and
Networking.
Narad always
20 Command
Line Tools to Monitor Linux Performance
believes sharing IT knowledge
with others and adopts new
technology with ease.
Your name can also be

listed here. Got a tip?
Submit it here to
become an TecMint
author.
PREVIOUS
NEXT STORY
STORY
Setup Samba
How to Open,
Server Using
Extract and
tdbsam
Create RAR
Backend on
Files in Linux
RHEL/CentOS
6.3/5.8 and
Fedora 17-12
YOU MAY ALSO LIKE...

53
How to
Reset
Forgotten
Root
Password
in
RHEL/Cent
OS and
Fedora
What is
Ext2, Ext3 & fswatch
202,035
9,267
38,621
Ext4 and
Monitors
Are you subscribed?
How to
Files and
Create and
20 Command
Directory
Convert
Changes or
Linux File
Modicatio
Systems
ns in Linux
12 NOV, 2012
12 JUL, 2012
7 OCT, 2016
21 RESPONSES
Comments 10
Admin
Pingbacks 0
September 18, 2016 at 9:37 pm
Having a hard time here, hopefully you

can help. This server in question
(Centos 6.8) has bandwidth sky
rocketing to about 100MBps. Its
running cPanel control panel and none
of the accounts are using much

bandwidth. I cannot gure out how to
trace where the spike is coming from. I
tried this tcpdump but confused. I need
to trace the source of the bandwidth
spike and really could use some help.
IPTRAF is a bit confusing too to me.
Reply
Ravi Saive
September 19, 2016 at 11:18 am
@Admin,
I think you should use these two
tools to nd out the network
bandwidth source..
http://www.tecmint.com/installiftop-bandwidth-monitoring-toolin-rhel-centos-fedora/
http://www.tecmint.com/installvnstat-and-vnstati-to-monitorlinux-network-trafc/
Reply
Gene
October 9, 2015 at 1:45 pm
202,035
abhi
How can I take the tcpdump of a

destination port.
Reply
Ravi Saive
September 24, 2015 at 11:54 am
@Abhi,
Here is the following command
that will help you out.
# tcpdump -i eth0 port 22
Dont forget to replace the port

22 with your desired port.
Reply
38,621
Are you subscribed?
This has been very informative and

helpful. Had to use some of the
commands for some deep debugging.
thanks
Reply
9,267
Nilesh
Very Good artical

Reply
sara kiran
April 14, 2015 at 10:05 am
Hope you must be ne by grace of God.

I am facing a problem in my thesis
which is about to change the link data
rate depending upon the buffer
occupancy i-e if the buffer space is lled
above threshold then increase the link
data rate and if the buffer is occupied
below threshold then reduce the link
data rate. Now the problem exists in
determining the buffer space occupied.
For this I am using ifcong and
netstat.
For ifcong the output for switch AS-1
eth1 is as follows (by using netstat I
was getting the same output):
AS-1-eth1 Link encap:Ethernet HWaddr
7a:81:df:f1:29:74
202,035
9,267
38,621
inet6 addr: fe80::7881:dfff:fef1:2974/64
Scope: Link
Are you subscribed?
UP BROADCAST RUNNING MULTICAST
MTU: 1500 Metric:
1
20 Command
RX packets: 88 errors: 0 dropped: 0
overruns: 0 frame: 0
TX packets: 57 errors: 0 dropped: 0
overruns: 0 carrier: 0
Collisions: 0 txqueuelen: 1000
RX bytes: 12266 (12.2 KB) TX bytes:
9052 (9.0 KB)
Now I am thinking, packets in queue=
RX packets-TX packets=8857=31packets (31 packets are in the
buffer). Am I thinking in the right
direction?
For ifcong kindly check the following
link
http://www.computerhope.com/unix/uifcon.htm
Kindly just go through the overview, I
know your time is really precious and
sorry to bother you, kindly reply me as

soon as possible. Thanks in advance.
Reply
Pankhuri Jaiswal
November 20, 2014 at 3:29 pm
hello!!
M in a deep troublei need to do this
tcp steganography in linux
environmentcan you please tell me
the required steps and commandsi
need it urgentplease help
Reply
Mohinder
November 3, 2015 at 6:35 am
Pankhuri,
Please let us know how the
steganography went. What
commands did you nd useful
and what was the end result.
Thank you and very good day to
you.
Reply
techie
202,035
Reply
Older Comments
GOT SOMETHING TO SAY? JOIN THE

DISCUSSION.
Comment
Email *
9,267
38,621
Are you subscribed?
October 13, 2014 at 9:25 pm
Thanx, very informative
Name *
Website
Notify me of followup comments via email. You can also subscribe without
commenting.
Post Comment
LINUX MONITORING TOOLS
20 Useful Commands of
Sysstat Utilities (mpstat,
pidstat, iostat and sar) for
Linux Performance
Monitoring
LINUX INTERVIEW QUESTIONS

OPEN SOURCE TOOLS
10 Useful ls Command
Interview Questions Part 2
7 MAR, 2015
Setup and Run Your Own

Online SMS Portal With
PointSMS9,267
on
202,035
38,621
RHEL/CentOS/Fedora
Are
you subscribed?
15 Interview Questions on
4 APR, 2013
Linux
Command
Part Performance
20 Command
Linels
Tools
to MonitorLinux
4 SEP, 2014
1
30 Big Companies and
30 SEP, 2014
How to Congure Zabbix
Devices Running on
Monitoring to Send Email
GNU/Linux
10 Useful Interview
25 FEB, 2014
Alerts to Gmail Account
Questions and Answers on
Part 2
Linux Commands
How to Create Your Own
18 AUG, 2015
21 JUL, 2014
Facebook Clone Networking
NetHogs Monitor Per
Site Using PHPFOX Script
16 AUG, 2013
Process Network Bandwidth Basic Linux Interview
Questions and Answers
Usage in Real Time
Part II
Install Scalpel (A Filesystem
11 MAR, 2013
23 NOV, 2013
Recovery Tool) to Recover
Psensor A Graphical
Deleted Files/Folders in
Hardware Temperature
Linux
7 JUN, 2013
Monitoring Tool for Linux
2 JUL, 2015

Tecmint: Linux Howtos, Tutorials & Guides 2017.
All Rights Reserved.
This work is licensed under a (cc) BY-NC
The material in this site cannot be republished
either online or ofine, without our permission.
202,035
9,267
38,621
Are you subscribed?


12 Tcpdump Commands - A Network Sniffer Tool

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

12 Tcpdump Commands - A Network Sniffer Tool

Enviado por

Direitos autorais:

Formatos disponíveis

CENTOS / FEDORA / LINUX COMMANDS /

LINUX DISTROS / REDHAT

BEGINNER'S GUIDE FOR LINUX

Download Your Free eBooks NOW - 10 Free

In our previous article, we

Vi/Vim Editor BEGINNER'S GUIDE

have seen 20 Netstat

Linux Foundation Certication

Linux tcpdump command examples

tcpdump is a most powerful

line packets sniffer or

gives us a option to save

OEM cards with serial

Protocol Analyzier) that

Many of Linux distributions

How to Add Linux Host to Nagios Monitoring

Google Chrome 55 Released Install on

Once tcpdump tool is

Ebook: Introducing the RHCSA and RHCE Exam

Software ERP Gratis

Aplicacin para Administracin de su Empresa. 100% Libre!

The command screen will

Add to Cart - $69

Add to Cart - $19

DOWNLOAD FREE LINUX EBOOKS

the packets for specied

Linux Patch Management: Keeping Linux Up To

interface, until you Hit

cancel button. But using -c

Introduction to Linux A Hands on Guide

option, you can capture

Understanding the Linux Virtual Memory

Join Our Community Of 150,000+ Linux Lovers

including its link level

6. Capture and Save

Are you subscribed?

20 Command Line Tools to Monitor Linux Performance

9. Capture only TCP

10. Capture Packet

This article may help you to

through our comment box.

Are you subscribed?

4. Support us via PayPal

View all Posts

He has over 10 years of rich IT

Your name can also be

YOU MAY ALSO LIKE...

September 18, 2016 at 9:37 pm

Having a hard time here, hopefully you

of the accounts are using much

September 19, 2016 at 11:18 am

October 9, 2015 at 1:45 pm

September 23, 2015 at 9:16 pm

How can I take the tcpdump of a

September 24, 2015 at 11:54 am

Dont forget to replace the port

Are you subscribed?

This has been very informative and

September 20, 2015 at 3:20 pm

Very Good artical

April 14, 2015 at 10:05 am

Hope you must be ne by grace of God.

sorry to bother you, kindly reply me as

November 20, 2014 at 3:29 pm