• Support
  • Get In Touch
Login
September 25, 2016

How to Capture Network Traffic using Tcpdump

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.
View Plans

Introduction

Tcpdump is one of the most widely used and powerful command line utilities out there that can be used to capture TCP/IP packets transferred over a network. Tcpdump provides various options to save the packet in data file. Tcpdump runs on all Unix-based operating systems and uses libpcap library to capture network traffic.

In this tutorial, we will explain some practical examples on how to use the Tcpdump command to capture network traffic.

Requirements

  • Ubuntu-16.04 desktop or server installed on your system.

#Install Tcpdump

Installing tcpdump on an Ubuntu based system is very easy. You can install it by just running the following command:

sudo apt-get install tcpdump

Display Available Interfaces

You can list out the number of available network interface on the system by running the following command:

sudo tcpdump -D

Output:

    1.wlan0
    2.lxcbr0
    3.vethFY0XH3
    4.docker0
    5.bluetooth0 (Bluetooth adapter number 0)
    6.br-7b9ff245c3a0
    7.any (Pseudo-device that captures on all interfaces)
    8.lo

Capture Packets from Specific Specific Interface

You can use tcpdump with -i switch to capture packets from specific network interface.

`sudo tcpdump -i wlan0

Output:

    15:40:50.747090 IP Vyom-PC.43342 > bom07s01-in-f134.1e100.net.https: Flags [.], ack 1282899678, win 258, options [nop,nop,TS val 332247 ecr 1987068517], length 0
    15:40:50.993764 IP bom07s01-in-f134.1e100.net.https > Vyom-PC.43342: Flags [.], ack 1, win 392, options [nop,nop,TS val 1987113703 ecr 320979], length 0
    15:40:51.198114 IP Vyom-PC.20061 > 192.168.43.1.domain: 46347+ PTR? 134.199.58.216.in-addr.arpa. (45)
    15:40:51.201031 IP 192.168.43.1.domain > Vyom-PC.20061: 46347 2/0/0 PTR bom07s01-in-f134.1e100.net., PTR bom07s01-in-f6.1e100.net. (123)
    15:40:51.202267 IP Vyom-PC.2167 > 192.168.43.1.domain: 61665+ PTR? 4.43.168.192.in-addr.arpa. (43)
    15:40:51.204859 IP 192.168.43.1.domain > Vyom-PC.2167: 61665* 1/0/0 PTR Vyom-PC. (64)
    15:40:52.207794 IP Vyom-PC.20690 > 192.168.43.1.domain: 64790+ PTR? 1.43.168.192.in-addr.arpa. (43)
    15:40:55.759056 ARP, Request who-has 192.168.43.1 tell Vyom-PC, length 28
    15:40:55.764676 ARP, Reply 192.168.43.1 is-at 24:da:9b:80:51:7d (oui Unknown), length 28
    15:40:57.211338 IP Vyom-PC.20690 > 192.168.43.1.domain: 64790+ PTR? 1.43.168.192.in-addr.arpa. (43)
    15:41:00.959067 IP Vyom-PC.43343 > bom07s01-in-f134.1e100.net.https: Flags [.], ack 1089874911, win 229, options [nop,nop,TS val 334800 ecr 1988976757], length 0
    15:41:01.223447 IP bom07s01-in-f134.1e100.net.https > Vyom-PC.43343: Flags [R], seq 1089874911, win 0, length 0
    15:41:01.780206 IP Vyom-PC.28561 > 192.168.43.1.domain: 24419+ A? staticxx.facebook.com. (39)
    15:41:01.794109 IP Vyom-PC.4228 > 192.168.43.1.domain: 63237+ A? platform.twitter.com. (38)
    15:41:02.370899 IP 192.168.43.1.domain > Vyom-PC.28561: 24419 2/0/0 CNAME scontent.xx.fbcdn.net., A 31.13.93.7 (90)
    15:41:02.431873 IP 192.168.43.1.domain > Vyom-PC.4228: 63237 2/0/0 CNAME platform-eb.twitter.com., A 199.96.57.6 (80)
    15:41:03.831458 IP Vyom-PC.63206 > 192.168.43.1.domain: 40927+ A? www.facebook.com. (34)
    15:41:03.882898 IP 192.168.43.1.domain > Vyom-PC.63206: 40927 2/0/0 CNAME star-mini.c10r.facebook.com., A 31.13.93.36 (79)

Capture a Specific Number of Packets

When you run tcpdump command it will capture packets continuously, until you press the cancel button. But you can also capture specific number of packets using -c option.

For example, to capture 10 packets on interface wlan0, run the following command:

sudo tcpdump -c 10 -i wlan0

Output:

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    15:45:40.540228 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [.], ack 2464475252, win 341, options [nop,nop,TS val 909043884 ecr 404556], length 0
    15:45:40.540426 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [P.], seq 0:148, ack 1, win 341, options [nop,nop,TS val 909043884 ecr 404556], length 148
    15:45:40.540471 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [.], ack 148, win 237, options [nop,nop,TS val 404695 ecr 909043884], length 0
    15:45:40.540805 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 1:44, ack 148, win 237, options [nop,nop,TS val 404695 ecr 909043884], length 43
    15:45:40.557496 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 44:89, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 45
    15:45:40.557570 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 89:131, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 42
    15:45:40.557610 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 131:165, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 34
    15:45:40.557862 IP Vyom-PC.36458 > bom07s01-in-f14.1e100.net.https: Flags [P.], seq 165:393, ack 148, win 237, options [nop,nop,TS val 404699 ecr 909043884], length 228
    15:45:40.625978 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [P.], seq 148:202, ack 44, win 341, options [nop,nop,TS val 909043958 ecr 404695], length 54
    15:45:40.626154 IP bom07s01-in-f14.1e100.net.https > Vyom-PC.36458: Flags [P.], seq 202:236, ack 44, win 341, options [nop,nop,TS val 909043958 ecr 404695], length 34
    10 packets captured
    28 packets received by filter
    0 packets dropped by kernel

Display Captured Packets in ASCII

You can print captured packets using -A switch by running the following command:

sudo tcpdump -A

Output:

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    15:49:48.639241 IP Vyom-PC.36468 > bom07s01-in-f142.1e100.net.https: Flags [.], ack 1337692423, win 262, options [nop,nop,TS val 466720 ecr 1996389772], length 0
    E..4J.@.@.d...+..:...t..T    ..O..............
    ... v.}.
    15:49:48.696915 IP bom07s01-in-f142.1e100.net.https > Vyom-PC.36468: Flags [.], ack 1, win 373, options [nop,nop,TS val 1996434895 ecr 410184], length 0
    E..4.y..8....:....+....tO...T    .....u*......
    v.-...BH
    15:49:49.123878 IP Vyom-PC.52756 > 192.168.43.1.domain: 51923+ PTR? 142.199.58.216.in-addr.arpa. (45)
    E..I.
    @.@.HD..+...+....5.5+..............142.199.58.216.in-addr.arpa.....
    15:49:49.126967 IP 192.168.43.1.domain > Vyom-PC.52756: 51923 2/0/0 PTR bom07s01-in-f142.1e100.net., PTR bom07s01-in-f14.1e100.net. (124)
    E.....@.@.b...+...+..5....pM.............142.199.58.216.in-addr.arpa.............z>...bom07s01-in-f142.1e100.net.........z>...bom07s01-in-f14.1e100.net.

Save Captured Packets in a File

Tcpdump provides a feature to capture and save packet in .pcap file format.

You can do this by using tcpdump command with -w option:

sudo tcpdump -w packet.pcap -i wlan0

Output:

    tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes

    47 packets captured
    47 packets received by filter
    0 packets dropped by kernel

Read Captured Packets File

You can also read captured packets from the file packet.pcap using -r option.

sudo tcpdump -r packet.pcap

Output:

    reading from file packet.pcap, link-type EN10MB (Ethernet)
    15:55:41.711228 IP Vyom-PC.54480 > unknown.telstraglobal.net.https: Flags [.], ack 1499061941, win 35252, length 0
    15:55:42.352855 IP unknown.telstraglobal.net.https > Vyom-PC.54480: Flags [.], ack 1, win 13168, length 0

    15:55:46.719096 ARP, Request who-has 192.168.43.1 tell Vyom-PC, length 28
    15:55:46.724723 ARP, Reply 192.168.43.1 is-at 24:da:9b:80:51:7d (oui Unknown), length 28
    15:55:46.828946 IP Vyom-PC.61667 > 192.168.43.1.domain: 2377+ A? stats-public.grammarly.io. (43)
    15:55:47.343824 IP 192.168.43.1.domain > Vyom-PC.61667: 2377 2/0/0 CNAME ec2-54-198-236-163.compute-1.amazonaws.com., A 54.198.236.163 (115)
    15:55:47.344520 IP Vyom-PC.51246 > ec2-54-198-236-163.compute-1.amazonaws.com.https: Flags [S], seq 139582281, win 29200, options [mss 1460,sackOK,TS val 556396 ecr 0,nop,wscale 7], length 0
    15:55:47.581630 IP Vyom-PC.51247 > ec2-54-198-236-163.compute-1.amazonaws.com.https: Flags [S], seq 4019141426, win 29200, options [mss 1460,sackOK,TS val 556455 ecr 0,nop,wscale 7], length 0

Capture Packet from Specific Port

To capture packets from specific port, run the following command:

sudo tcpdump -i wlan0 port 22

Output:

    tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    16:12:14.271113 IP (tos 0x0, ttl 64, id 4416, offset 0, flags [DF], proto TCP (6), length 52)
        Vyom-PC.45256 > bom07s01-in-f2.1e100.net.https: Flags [.], cksum 0x66ee (correct), ack 704958143, win 262, options [nop,nop,TS val 803128 ecr 1996234086], length 0
    16:12:14.468463 IP (tos 0x0, ttl 64, id 7031, offset 0, flags [DF], proto UDP (17), length 73)
        Vyom-PC.64023 > 192.168.43.1.domain: 12519+ PTR? 130.199.58.216.in-addr.arpa. (45)
    16:12:14.494358 IP (tos 0x0, ttl 56, id 42504, offset 0, flags [none], proto TCP (6), length 52)
        bom07s01-in-f2.1e100.net.https > Vyom-PC.45256: Flags [.], cksum 0x3920 (correct), ack 1, win 635, options [nop,nop,TS val 1996279324 ecr 769242], length 0
    16:12:14.621544 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 151)
        192.168.43.1.domain > Vyom-PC.64023: 12519 2/0/0 130.199.58.216.in-addr.arpa. PTR bom07s01-in-f2.1e100.net., 130.199.58.216.in-addr.arpa. PTR bom07s01-in-f130.1e100.net. (123)
    16:12:14.622072 IP (tos 0x0, ttl 64, id 7032, offset 0, flags [DF], proto UDP (17), length 71)
        Vyom-PC.40692 > 192.168.43.1.domain: 36419+ PTR? 4.43.168.192.in-addr.arpa. (43)
    16:12:14.622698 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 92)
        192.168.43.1.domain > Vyom-PC.40692: 36419* 1/0/0 4.43.168.192.in-addr.arpa. PTR Vyom-PC. (64)
    16:12:15.624388 IP (tos 0x0, ttl 64, id 7033, offset 0, flags [DF], proto UDP (17), length 71)
        Vyom-PC.6105 > 192.168.43.1.domain: 56925+ PTR? 1.43.168.192.in-addr.arpa. (43)

Capture only TCP Packets

To capture only TCp packets, run the following command:

sudo tcpdump -i wlan0 tcp

Output:

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    16:16:33.119464 IP Vyom-PC.38928 > ec2-54-90-148-22.compute-1.amazonaws.com.https: Flags [.], ack 4095000419, win 229, options [nop,nop,TS val 867840 ecr 2784413801], length 0
    16:16:34.245441 IP ec2-54-90-148-22.compute-1.amazonaws.com.https > Vyom-PC.38928: Flags [.], ack 1, win 210, options [nop,nop,TS val 2784425261 ecr 856589], length 0
    16:16:35.359096 IP Vyom-PC.36521 > bom07s01-in-f142.1e100.net.https: Flags [.], ack 1329362084, win 229, options [nop,nop,TS val 868400 ecr 1995067644], length 0
    16:16:35.634033 IP bom07s01-in-f142.1e100.net.https > Vyom-PC.36521: Flags [R], seq 1329362084, win 0, length 0
    16:16:42.810310 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [.], seq 191577511:191578869, ack 3383719639, win 254, options [nop,nop,TS val 870262 ecr 1609825056], length 1358
    16:16:42.810465 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 1358:1367, ack 1, win 254, options [nop,nop,TS val 870262 ecr 1609825056], length 9
    16:16:42.810623 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 1367:1405, ack 1, win 254, options [nop,nop,TS val 870262 ecr 1609825056], length 38
    16:16:42.811603 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 1405:2213, ack 1, win 254, options [nop,nop,TS val 870263 ecr 1609825056], length 808
    16:16:42.820642 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [.], seq 2213:3571, ack 1, win 254, options [nop,nop,TS val 870265 ecr 1609825056], length 1358
    16:16:42.820700 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 3571:3602, ack 1, win 254, options [nop,nop,TS val 870265 ecr 1609825056], length 31
    16:16:42.820858 IP Vyom-PC.46586 > bom05s08-in-f162.1e100.net.https: Flags [P.], seq 3602:4247, ack 1, win 254, options [nop,nop,TS val 870265 ecr 1609825056], length 645

Capture packets with IP Address

To capture packets with IP address use tcpdump command with -n option:

sudo tcpdump -n -i wlan0

Output:

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    16:19:39.778704 IP 192.168.43.4.64105 > 192.168.43.1.53: 28956+ A? staticxx.facebook.com. (39)
    16:19:40.127052 IP 192.168.43.4.55027 > 104.65.140.27.80: Flags [.], ack 2417585591, win 244, options [nop,nop,TS val 914592 ecr 3700427000], length 0
    16:19:40.138398 IP 192.168.43.1.53 > 192.168.43.4.64105: 28956 2/0/0 CNAME scontent.xx.fbcdn.net., A 31.13.93.7 (90)
    16:19:40.437891 IP 104.65.140.27.80 > 192.168.43.4.55027: Flags [.], ack 1, win 1053, options [nop,nop,TS val 3700472510 ecr 903304], length 0
    16:19:41.247845 IP 216.58.199.142.443 > 192.168.43.4.36520: Flags [P.], seq 2060299420:2060299475, ack 556233794, win 350, options [nop,nop,TS val 1995298115 ecr 854767], length 55
    16:19:41.248173 IP 192.168.43.4.36520 > 216.58.199.142.443: Flags [F.], seq 1, ack 55, win 339, options [nop,nop,TS val 914872 ecr 1995298115], length 0
    16:19:41.257875 IP 216.58.199.142.443 > 192.168.43.4.36520: Flags [F.], seq 55, ack 1, win 350, options [nop,nop,TS val 1995298115 ecr 854767], length 0
    16:19:41.257942 IP 192.168.43.4.36520 > 216.58.199.142.443: Flags [.], ack 56, win 339, options [nop,nop,TS val 914874 ecr 1995298115], length 0
    16:19:41.707916 IP 216.58.199.142.443 > 192.168.43.4.36520: Flags [F.], seq 55, ack 1, win 350, options [nop,nop,TS val 1995298671 ecr 854767], length 0
    16:19:41.707976 IP 192.168.43.4.36520 > 216.58.199.142.443: Flags [.], ack 56, win 339, options [nop,nop,TS val 914987 ecr 1995298671,nop,nop,sack 1 {55:56}], length 0
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel

Conclusion

I hope now you can easily explore tcpdump command in depth. There are lots of options available with tcpdump, you can use any of those option as per your requirement.

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.
View Plans

Share this Article!

Related Posts

Node.js Authentication – A Complete Guide with Passport and JWT

Node.js Authentication – A Complete Guide with Passport and JWT

Truth be told, it’s difficult for a web application that doesn’t have some kind of identification, even if you don’t see it as a security measure in and of itself. The Internet is a kind of lawless land, and even on free services like Google’s, authentication ensures that abuses will be avoided or at least […]

September 30, 2021
Read More Node.js Authentication – A Complete Guide with Passport and JWT
Node.js and MongoDB: How to Connect MongoDB With Node

Node.js and MongoDB: How to Connect MongoDB With Node

MongoDB is a document-oriented NoSQL database, which was born in 2007 in California as a service to be used within a larger project, but which soon became an independent and open-source product. It stores documents in JSON, a format based on JavaScript and simpler than XML, but still with good expressiveness. It is the dominant […]

September 27, 2021
Read More Node.js and MongoDB: How to Connect MongoDB With Node
Using MySQL with Node.js: A Complete Tutorial

Using MySQL with Node.js: A Complete Tutorial

Although data persistence is almost always a fundamental element of applications, Node.js has no native integration with databases. Everything is delegated to third-party libraries to be included manually, in addition to the standard APIs. Although MongoDB and other non-relational databases are the most common choice with Node because if you need to scale an application, […]

September 7, 2021
Read More Using MySQL with Node.js: A Complete Tutorial
Node.Js Vs Django: Which Is the Best for Your Project

Node.Js Vs Django: Which Is the Best for Your Project

Django and NodeJs are two powerful technologies for web development, both have great functionality, versatile applications, and a great user interface. Both are open source and can be used for free. But which one fits your project best? NodeJs is based on JavaScript, while Django is written in Python. These are two equally popular technologies […]

August 31, 2021
Read More Node.Js Vs Django: Which Is the Best for Your Project
Nodejs Vs PHP: Which Works Best?

Nodejs Vs PHP: Which Works Best?

Before getting into the “battle” between Node.js and PHP we need to understand why the issue is still ongoing. It all started with the increased demand for smartphone applications, their success forcing developers to adapt to new back-end technologies that could handle a multitude of simultaneous requests. JavaScript has always been identified as a client-side […]

August 30, 2021
Read More Nodejs Vs PHP: Which Works Best?