TCPDump Commands – TCPDump Cheat Sheet

TCPDump Commands
2019-03_TCPDump-Commands_ThriftyAdmin-Blog-Feature

TCPDump commands are probably the most useful networking tools on a server or networking device today.  It is a network sniffer that can capture the communications between multiple devices where you can collect data about how devices or applications are talking. Having a tool to troubleshoot those connections is critical in a modern system admins toolbox.

DevOps Guide to TCPDump Commands

Troubleshooting Software Defined Network (SDN) is very difficult since understanding the traces will require knowledge of networking protocols but I will try and provide information to get you started in this area too.

Before you can start using TCPDump, you need to install it. By just typing ‘tcpdump’ at a Linux command prompt, you can start capturing packets on all interfaces. If you are not root, you will need to run the program with ‘sudo tcpdump’. 

If information starts displaying on the screen, congratulations, you have it installed and you can move to the second section on different ways to collect information. I will also update this article to also include a TCPDump Cheat Sheet to download and keep.

(To make reading this post easier, I will often be typing tcpdump in partial upper case (TCPDump).  Just note that this command is case sensitive and should always be types in a command window in all lower case.  I am just mixing case in the post to make it easier to read.)

Install TCPDump in Linux

Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command.

# yum install tcpdump

Install TCPDump or WireShark for Windows

To install TCPDump on windows, you have several choices.  You can use the very popular WireShark tool from www.WireShark.org.  On this page, you will have a choice to install either the installation copy or the portable copy. 

The portable copy can be installed on a USB stick and moved from place to place but it cannot collect traffic unless you have a copy of pCap also installed.  pCap (www.winpcap.org) allows you to capture data off your network cards and is included in the regular Windows Installer (32 or 64 bit) download.  A reboot is not often required but in some cases it may so be careful when installing it on a production server.

The Basics of TCPDump Commands

As more and more networking gear moved over to a Linux based kernel, TCPDump commands will be available on more and more devices natively.  It is critical all system, network, security, and DevOps admins become familiar with this tool.

Simply put, this is a command line tool with extra options added to the command that will allow you to either capture the data into a .pcap file to be analyzed later or read directly off the screen for quick diagnostics.  It is often used to filter source, destination, and ports to easily narrow your collection.

Here is a list of just a few common options.

Common Options

  • -i any : Listen on all interfaces just to see if you’re seeing any traffic.
  • -i eth0 : Listen on the eth0 interface.
  • -D : Show the list of available interfaces
  • -n : Don’t resolve hostnames.
  • -nn : Don’t resolve hostnames or port names.
  • -q : Be less verbose (more quiet) with your output.
  • -t : Give human-readable timestamp output.
  • -tttt : Give maximally human-readable timestamp output.
  • -X : Show the packet’s contents in both hex and ASCII.
  • -XX : Same as -X, but also shows the Ethernet header.
  • -v, -vv, -vvv : Increase the amount of packet information you get back.
  • -c : Only get x number of packets and then stop.
  • -s : Define the size of the capture in bytes. Use -s0 to get everything
  • -S : Print absolute sequence numbers.
  • -e : Get the Ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.

The command has way too many options to list in this article so I have included a link to the online manual below for a full reference to the command and options.

Tcpdump man page

Linux TCPDump Commands Examples

To show you an available list of options and some real world possibilities, I have included a small list of commands that are very often used in the real world.  Study this list and practice reading the results so you will be able to quickly collect this data in any production outage or troubleshooting session.

Command Notes
tcpdump -i eth0 Capture Packets from just a single Interface
tcpdump -c 5 -i eth0 Capture N Number of Packets
tcpdump -A -i eth0 Captured Packets in ASCII
tcpdump -D Display Available Interfaces on the system
tcpdump -XX -i eth0 Captures the data of each packets in HEX and ASCII
tcpdump -w 0001.pcap -i eth0 Capture and Save Packets in a File
tcpdump -r Description.pcap Read Captured Packets File
tcpdump -n -i eth0 Capture IP address Packets
tcpdump -i eth0 tcp Capture only TCP Packets
tcpdump -i eth0 port 22 Capture Packet from Specific Port
tcpdump -i eth0 src 192.168.0.2 tcpdump -nni eth0 src host 8.8.8.8.8 Capture Packets from source IP
tcpdump -i eth0 dst 192.168.0.2 tcpdump -nni eth0 src host 8.8.8.8.8 Capture Packets from destination IP Use the -nni
tcpdump -nni eth0 icmp Capture filter for only icmp traffic
tcpdump -vi eth0 Turn on “verbose” key in TCPDUMP to see IP and TCP header information
tcpdump -vnni eth0 Turn off hostname and port lookup in TCPDUMP

Reading Captured Data

The data is displayed in this format:

[Timestamp] [Protocol] [Source] > [Destination], [Flag], [CkSum], [Seq], [ACK], [WIN], [LEN]

Timestamp Simple Timestamp of the packet so you can get an understanding of what happened and when.
Protocol This is the protocol being used (TCP/UDP)
Source The Source IP address or DNS Name
Destination The Destination IP address or DNS Name
Flag The Flag is key to understanding the communication between 2 devices and this will depend a lot on the protocol being used.  A  period ‘.‘ indicates an ACK [S] – SYN (Start Connection) [.] – No Flag Set, ACK [P] – PSH (Push Data) [F] – FIN (Finish Connection) [R] – RST (Reset Connection) [S.] – SYN ACK There are others but this article needs to keep things simple for now.
CkSum This is the check Sum of the packed to make sure the data was not changed in transport.
Seq This is the sequence number of the packet.
ACK TCP packet’s acknowledgement number
WIN The source host’s TCP window size
LEN The TCP packet length (in Bytes) not including the headers – in other words, the payload or data’s length. This means the IP and TCP headers combined were 40Bytes long.

Connection Handshakes walk-through

A connection handshake is simply a series of packets that go between 2 computers.  There are 2 basic handshakes.  A SYN handshake(establishes a connection) and a FIN handshake (Breaks down a connection).

When troubleshooting, this is where I spend most of my time.  I am analyzing where a communication channel breaks down between 2 devices.  Knowing what is expected (below) and what you are getting (above) will be the key in learning about the problem.

SYN Handshake
Host A – SYN -> – Host B
Host A – <- SYN ACK – Host B
Host A – ACK -> – Host B
Host A – Connect -> – Host B

FIN Handshake
Host A <- FIN ACT -> – Host B
Host A – ACK  -> Host B
Host A – FIN ACK  -> Host B
Host A <- ACK – Host B

Conclusion

That’s it.  If you can understand and practice these TCPDump commands you will become a master at troubleshooting connections between devices.  Please feel free to download the handy TCPDump Cheat Sheet for reference later too.

If you found this information useful, lease consider signing up for my email list to get notified about future articles and downloads.  If you have any questions, please add a comment below and I will do my best to answer them.  Take care and happy learning.

1 Shares

TJ Totland

Todd "TJ" Totland is a computer and network engineer working for IBM. He is certified as a MCSE, MCT, CNE, and CNA with vast experience in many technologies used in businesses today. TJ has designed, built, and managed hundreds of different types of computer and network systems for large and small customers since 1990. He is a subject Matter Expert in Cloud Technologies and has vast knowledge in VMware products.

1 Response

  1. Ashley says:

    A cheat sheat is a quick reference. Tcpdump cheat sheet contains easy to use many commands. Each tcpdum command have detail example. All commands are on linux.