tcpdump – A utility that allows you to intercept and analyze network traffic.
You must run it with root rights. In Ubuntu, you can use “sudo” before each command, or you can immediately switch to root user:
Below are examples of running tcpdump.
Running with the indication of the network interface:
tcpdump -i eth0 /usr/sbin/tcpdump -i eth0
Display statistics only for specified addresses or exclude addresses:
tcpdump host ADDRESS tcpdump host ADDRESS and ADDRESS tcpdump host ADDRESS or ADDRESS tcpdump not host ADDRESS tcpdump ether host e0:cb:4e:c3:7c:44
Specifying the port:
tcpdump port 80
With the type arp/rarp/ip/tcp/udp/icmp/wlan/multicast/broadcast, eg:
tcpdump arp tcpdump arp and broadcast tcpdump -i eth0 icmp
tcpdump -n -i eth0 -e arp
Write the result to a file:
tcpdump -w "/home/user/tcpdump/"`date "+%Y-%m-%d-%H-%M"`-http.pcap
Specifying the VLAN:
tcpdump vlan 100
tcpdump port 67 or port 68 -e -n tcpdump -i eth0 '((port 67 or port 68) and (udp[8:1] = 0x1))' -vvv -s 1500 | grep 00:00:12:00:12:45
tcpdump -s 1500 -c 30000 'tcp port 80 and (((ip[2:2] - ((ip&0xf)<<2)) - ((tcp&0xf0)>>2)) != 0)'
I’ll describe the possible startup options:
-a Convert network and broadcast addresses to domain names.
-i The interface that will obey.
-c Shutdown after the specified number of packets.
-v, -vv, -vvv Output of more detailed information.
-q Quiet mode, a summary is displayed.
-t Does not display a timestamp in each line.
-tttt Time display with date.
-n Do not allow domain names of hosts.
-nn Displays the port number instead of the protocol it uses.
-N Allow domain names of hosts.
-e Display link-layer data (MAC address, protocol, packet length).
-w Record information in binary format to a file. The file can then be opened through analysis programs, for example Wireshark.
-r The parameter allows you to read traffic from a file.
-s The number of bytes of the packet that tcpdump will handle.
-x Displays packets in a hexadecimal system.