tcpdump is a useful packet analyzer distributed under the BSD license. It is included with most Linux and Unix distros, and it’s available for Windows using the Winpcap library.
As you might imagine, tcpdump is excellent at troubleshooting problematic connections to remote systems where the cause is otherwise unclear. This is particularly useful for getting around, say, database administrators who won’t admit that their database even exists, much less that you can connect to it.
As always, man tcpdump gives you all options, as well as a good overview of network packets. An overview of network and transport layer protocols may also be of value here.
Useful Command Line Switches
Usage is tcpdump -switch
| Switch | Purpose |
|---|---|
| -A | Print every packet in ASCII |
| -c x | Only get x number of packets and then stop |
| -D | Show the list of available capture interfaces; synonymous with –list-interfaces |
| -e | Get the ethernet header as well |
| -E | Decrypt IPSEC traffic by providing an encryption key |
| -i any | Listen on all interfaces just to see if you’re seeing any traffic; synonymous with –interface=any |
| -i eth0 | Listen on the eth0 interface |
| -n | Don’t resolve host names |
| -nn | Don’t resolve host names or port numbers |
| -q | Print less protocol information with your output; usually easier reading |
| -r file | Read capture data from file into tcpdump |
| -s | Define the snaplength (size) of the capture in bytes. Use -s 1514 to get everything, unless you are intentionally capturing less |
| -S | Print absolute sequence numbers |
| -t | Omit the timestamp from each dump line |
| -v, -vv, -vvv | Increase the amount of packet information you get back |
| -w file | Write the raw packets to file rather than printing them out |
| -X | Show the packet’s contents in both hex and ASCII |
| -XX | Same as -X, but also shows the ethernet header |
Arguments
Usage is tcpdump -switch argument
| Argument | Purpose |
|---|---|
| dst | Only capture packets with specified destination |
| greater | Set minimum packet size |
| host | Specify a host, can be IP address or hostname (if not using -n); to specify origin or destination host, just use src or dst. i.e., host 192.0.0.1 captures all traffic to and from 192.0.0.1, while src 192.0.0.1 captures traffic departing from that address. |
| icmp/udp/tcp | Only get ICMP or UDP or TCP packets |
| less | Set maximum packet size |
| net | Capture an entire network |
| port | Capture traffic to or from the specified port; use src port or dst port to specify origin port or destination port |
| portrange | Capture traffic to or from the specified port range; use src portrange or dst portrange to specify origin or destination |
| src | Only capture packets originating from src |
Examples
Note: ‘and’ and ‘not’ can be abbreviated as ‘&’ and ‘!=’.
Capture all packets arriving at or departing from thiscomp:
$ tcpdump host thiscomp
Capture packets departing from 10.0.0.2 destined for port 5432 (i.e., PostgreSQL):
$ tcpdump src 10.0.0.2 and dst port 5432
Capture TCP packets departing from thiscomp destined for port 1433 on database (i.e., MSSQL):
$ tcpdump tcp and src thiscomp and dst port 1433 and dst database
Capture traffic between thiscomp and either google or microsoft:
$ tcpdump host thiscomp and ( google or microsoft )
Capture traffic departing from network 216.58 to the SSH port, write to file:
$ tcpdump -w capture_file src net 216.58.0.0/16 and dst port 22
Capture traffic departing from network 216.58 and not to the SSH or MySQL ports:
$ tcpdump src net 216.58.0.0/16 and not (dst port 22 or 3306)
Capture SYN and FIN packets (start/end packets) departing from network 216.58, not to the SSH or MySQL ports:
$tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and src net 216.58.0.0/16 and not (dst port 22 or 3306)'
