tcpdump is a very useful command to inspect and capture network packets that go into and from your machine. It's one of the most common networking utilities to troubleshoot network problems and security issues.
Although its name is tcpdump but it can be used to inspect non-TCP traffic included UDP, ARP, or ICMP.
In this context, we shall look into methods to use the tcpdump command in a Linux system.
How to Install tcpdump on Linux ?
By default, tcpdump is installed on most Linux distributions. To verify whether the tcpdump is installed or not, run the following command:
$ tcpdump --version
If it has not been installed yet, then run the commands:
$ sudo apt update
$ sudo apt install tcpdump
How to Capture packets on network interfaces ?
When you run tcpdump without any options, it will capture all the packets on all of the network interfaces on your computer:
$ sudo tcpdump
You have to press Ctrl + C to stop.
To list all of the network interfaces that their packets can be inspected by the tcpdump command, run:
$ sudo tcpdump -D
If you want to capture packets on a specific network interface and limits packet to 6, run the following command:
$ sudo tcpdump -i eth0 -c 6
How to Capture network packets on a specific host ?
To capture the packets from a specific host. You can simply run the following command:
$ sudo tcpdump -n host 172.19.11.101 -c 5
How to Capture network packets on a specific port ?
If you want to filter only network packets on a specific port, let's run the tcpdump command with the -n port option:
$ sudo tcpdump -n port 22
How to Capture network packets from source and destination ?
If you want to filter only network packets that come from a specific source, let's run the tcpdump command with the src option:
$ sudo tcpdump src 172.19.11.200
For the purpose of capturing only network packets to a specific destination, run the tcpdump command with the dst option:
$ sudo tcpdump dst 172.19.11.200
How to Capture network packets with many combined filters ?
In order to combine many filters when running the tcpdump command, you can use these operators: and (&&), or (||), not (!). For example, the following command will capture all packets that come from the source 172.19.11.200 via port 22:
$ sudo tcpdump src 172.19.11.200 && -n port 22 -c 5
How to Filter network by a protocol ?
To capture the network packets of a particular protocol, let's specify the protocol name as a command option. For example:
$ sudo tcpdump -n udp