TCPDump Commands – TCPDump Cheat Sheet
TCPDump commands are probably the most useful networking tools on a server or networking device today. It is a network sniffer that can capture the communications between multiple devices where you can collect data about how devices or applications are talking. Having a tool to troubleshoot those connections is critical in a modern system admins toolbox.
Troubleshooting Software Defined Network (SDN) is very difficult since understanding the traces will require knowledge of networking protocols but I will try and provide information to get you started in this area too.
Before you can start using TCPDump, you need to install it. By just typing ‘tcpdump’ at a Linux command prompt, you can start capturing packets on all interfaces. If you are not root, you will need to run the program with ‘sudo tcpdump’.
If information starts displaying on the screen, congratulations, you have it installed and you can move to the second section on different ways to collect information. I will also update this article to also include a TCPDump Cheat Sheet to download and keep.
(To make reading this post easier, I will often be typing tcpdump in partial upper case (TCPDump). Just note that this command is case sensitive and should always be types in a command window in all lower case. I am just mixing case in the post to make it easier to read.)
Install TCPDump in Linux
Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command.
# yum install tcpdump
Install TCPDump or WireShark for Windows
To install TCPDump on windows, you have several choices. You can use the very popular WireShark tool from www.WireShark.org. On this page, you will have a choice to install either the installation copy or the portable copy.
The portable copy can be installed on a USB stick and moved from place to place but it cannot collect traffic unless you have a copy of pCap also installed. pCap (www.winpcap.org) allows you to capture data off your network cards and is included in the regular Windows Installer (32 or 64 bit) download. A reboot is not often required but in some cases it may so be careful when installing it on a production server.
The Basics of TCPDump Commands
As more and more networking gear moved over to a Linux based kernel, TCPDump commands will be available on more and more devices natively. It is critical all system, network, security, and DevOps admins become familiar with this tool.
Simply put, this is a command line tool with extra options added to the command that will allow you to either capture the data into a .pcap file to be analyzed later or read directly off the screen for quick diagnostics. It is often used to filter source, destination, and ports to easily narrow your collection.
Here is a list of just a few common options.
- -i any : Listen on all interfaces just to see if you’re seeing any traffic.
- -i eth0 : Listen on the eth0 interface.
- -D : Show the list of available interfaces
- -n : Don’t resolve hostnames.
- -nn : Don’t resolve hostnames or port names.
- -q : Be less verbose (more quiet) with your output.
- -t : Give human-readable timestamp output.
- -tttt : Give maximally human-readable timestamp output.
- -X : Show the packet’s contents in both hex and ASCII.
- -XX : Same as -X, but also shows the Ethernet header.
- -v, -vv, -vvv : Increase the amount of packet information you get back.
- -c : Only get x number of packets and then stop.
- -s : Define the size of the capture in bytes. Use -s0 to get everything
- -S : Print absolute sequence numbers.
- -e : Get the Ethernet header as well.
- -q : Show less protocol information.
- -E : Decrypt IPSEC traffic by providing an encryption key.
The command has way too many options to list in this article so I have included a link to the online manual below for a full reference to the command and options.
Linux TCPDump Commands Examples
To show you an available list of options and some real world possibilities, I have included a small list of commands that are very often used in the real world. Study this list and practice reading the results so you will be able to quickly collect this data in any production outage or troubleshooting session.
|tcpdump -i eth0
|Capture Packets from just a single Interface
|tcpdump -c 5 -i eth0
|Capture N Number of Packets
|tcpdump -A -i eth0
|Captured Packets in ASCII
|Display Available Interfaces on the system
|tcpdump -XX -i eth0
|Captures the data of each packets in HEX and ASCII
|tcpdump -w 0001.pcap -i eth0
|Capture and Save Packets in a File
|tcpdump -r Description.pcap
|Read Captured Packets File
|tcpdump -n -i eth0
|Capture IP address Packets
|tcpdump -i eth0 tcp
|Capture only TCP Packets
|tcpdump -i eth0 port 22
|Capture Packet from Specific Port
|tcpdump -i eth0 src 192.168.0.2 tcpdump -nni eth0 src host 188.8.131.52.8
|Capture Packets from source IP
|tcpdump -i eth0 dst 192.168.0.2 tcpdump -nni eth0 src host 184.108.40.206.8
|Capture Packets from destination IP Use the -nni
|tcpdump -nni eth0 icmp
|Capture filter for only icmp traffic
|tcpdump -vi eth0
|Turn on “verbose” key in TCPDUMP to see IP and TCP header information
|tcpdump -vnni eth0
|Turn off hostname and port lookup in TCPDUMP
Reading Captured Data
The data is displayed in this format:
[Timestamp] [Protocol] [Source] > [Destination], [Flag], [CkSum], [Seq], [ACK], [WIN], [LEN]
|Simple Timestamp of the packet so you can get an understanding of what happened and when.
|This is the protocol being used (TCP/UDP)
|The Source IP address or DNS Name
|The Destination IP address or DNS Name
|The Flag is key to understanding the communication between 2 devices and this will depend a lot on the protocol being used. A period ‘.‘ indicates an ACK [S] – SYN (Start Connection) [.] – No Flag Set, ACK [P] – PSH (Push Data) [F] – FIN (Finish Connection) [R] – RST (Reset Connection) [S.] – SYN ACK There are others but this article needs to keep things simple for now.
|This is the check Sum of the packed to make sure the data was not changed in transport.
|This is the sequence number of the packet.
|TCP packet’s acknowledgement number
|The source host’s TCP window size
|The TCP packet length (in Bytes) not including the headers – in other words, the payload or data’s length. This means the IP and TCP headers combined were 40Bytes long.
Connection Handshakes walk-through
A connection handshake is simply a series of packets that go between 2 computers. There are 2 basic handshakes. A SYN handshake(establishes a connection) and a FIN handshake (Breaks down a connection).
When troubleshooting, this is where I spend most of my time. I am analyzing where a communication channel breaks down between 2 devices. Knowing what is expected (below) and what you are getting (above) will be the key in learning about the problem.
Host A – SYN -> – Host B
Host A – <- SYN ACK – Host B
Host A – ACK -> – Host B
Host A – Connect -> – Host B
Host A <- FIN ACT -> – Host B
Host A – ACK -> Host B
Host A – FIN ACK -> Host B
Host A <- ACK – Host B
That’s it. If you can understand and practice these TCPDump commands you will become a master at troubleshooting connections between devices. Please feel free to download the handy TCPDump Cheat Sheet for reference later too.
If you found this information useful, lease consider signing up for my email list to get notified about future articles and downloads. If you have any questions, please add a comment below and I will do my best to answer them. Take care and happy learning.