• News
  • A must-have for advanced network engineers! A complete guide to using Tcpdump for packet capture, from beginners to practical use

A must-have for advanced network engineers! A complete guide to using Tcpdump for packet capture, from beginners to practical use

To better analyze the network, common client Windows operating systems can install packet capture software such as Wireshark to capture data streams for analysis. So, how do Linux and other operating systems commonly used by servers capture interface packets for network analysis?

This issue will introduce Tcpdump, an essential tool for advanced network engineers!

1. Introduction to Tcpdump 

In network operations and maintenance, Windows users often use Wireshark to capture packets. But how can Linux servers analyze network traffic? Today, we'll unveil the secrets of Tcpdump, the "Swiss Army Knife" of advanced network engineers. We'll break down the entire process from installation to practical application, and include a guide to avoiding pitfalls!

Tool Positioning: Why Network Engineers Must Master Tcpdump?

Tcpdump is a popular packet capture tool for Unix-like systems. Its name is a combination of "TCP protocol" and "data export." It captures network packets in real time based on the libpcap library and supports:

  •  Sniff and save traffic data
  • Precise filtering by protocol/port/IP
  • Generate pcap file for subsequent analysis

Applicable scenarios: Linux, Solaris, BSD and other systems. The Windows version is WinDump (WinPcap driver required).

2. Tcpdump installation introduction  

To install tcpdump in Linux, you can follow these steps:

  • Open the terminal: In Linux, you can open the terminal by clicking the terminal icon or using the shortcut key (usually Ctrl+Alt+T).
  • Install tcpdump using the package manager: Depending on your Linux distribution, choose the corresponding package manager to install tcpdump.

Here are some common distributions and their corresponding package managers:

  • Ubuntu/Debian: Use the apt-get command to install. Enter the following command in the terminal and press Enter:
sudo apt-get update
sudo apt-getinstall tcpdump
  • 1.
  • 2.
  • CentOS/Fedora: Use the yum command to install. Enter the following command in the terminal and press Enter:
sudo yum update
sudo yum install tcpdump
  • 1.
  • 2.
  • Arch Linux: Use the pacman command to install. Enter the following command in the terminal and press Enter:
sudo pacman -Sy tcpdump
  • 1.

Please note that you may need to enter the administrator password for confirmation during the installation process.

  • Wait for the installation to complete: The installation process may take some time. The system will automatically download and install tcpdump and its dependent packages.
  • Verify the installation: Once the installation is complete, you can verify that the installation was successful by entering the following command in the terminal:
tcpdump --version
  • 1.

If the tcpdump version information is output, it means that the installation is successful.

Now you have successfully installed tcpdump in your Linux operating system. Next, you can use the tcpdump command to capture and analyze network packets. Remember that when using tcpdump, you may need to use sudo or run it as the root user to obtain sufficient permissions to capture packets.

3. Basic usage of Tcpdump  

Use the command: tcpdump -help to view the tcpdump tool command options:

The basic command format of tcpdump is: tcpdump [option] [expression] 

  • -a: Convert network addresses and broadcast addresses into names
  • -A: Print all packets in ASCII format and minimize the link layer header
  • -B: used to set the operating system capture buffer size
  • -c: specifies the number of captured data packets
  • -C: This option is used with the -w option. If the saved file size exceeds the threshold, the current file is closed and a new file is started to continue saving data (storing the captured packet data in multiple fixed-size files is beneficial for long-term packet capture scenarios)
  • -d Output the matched packets in a human-readable assembly format
  • -dd: Prints packet matching codes in C language.
  • -ddd: Print the packet matching code in decimal form
  • -D: Print all network interfaces in the system that support packet capture
  • -e: Print the data link layer header information on the output line
  • -E: Decrypt IPsec ESP packets. Specifically, it uses the format of spi@ipaddr algo:secret to decrypt IPsec ESP packets that use addr as the address and contain the security parameter index value spi. In this way, tcpdump can capture and display the contents of IPsec-encrypted packets, helping users better analyze and understand network traffic.
  • -f : Print external Internet addresses as numbers
  • -F: Use file as input for filter expression
  • -i: Specify the monitoring network interface
  • -l: line buffer standard output
  • -L: List the types of data link layers supported by the specified network interface and exit
  • -m: Load the SMI MIB module through the file specified by module
  • -n: Do not convert the network address into a name, that is, directly display the IP address instead of the host name
  • -N: Do not print the domain name part of the host
  • -nn: Do not convert port names
  • -O: Do not enable the optimized code used for packet matching
  • -p: Do not put the network interface into promiscuous mode
  • -q: Quick and short printout
  • -R: Set tcpdump to parse ESP/AH packets according to RFC1825 instead of RFC1829
  • -r: Read packet data from file file
  • -s: Packet capture length, if not set, the default will be 68 bytes
  • -S: When printing the sequence number of TCP packets, use absolute sequence numbers instead of relative sequence numbers
  • -t: Do not print timestamps on each line of output
  • -tt: Do not format the time output on each line
  • -ttt: When tcpdump outputs, there will be a delay (in milliseconds) between each two lines of printing
  • -tttt: Add the date before the timestamp printed on each line
  • -u: Print out unencrypted NFS handles
  • -U: Synchronizes file writing and packet saving when tcpdump is used with the -w option
  • -v: Analyze and print verbose output
  • -vv: Produce more verbose output than -v
  • -vvv: Produce more detailed output than -vv
  • -w: Write packet data directly to the file without analyzing or printing it
  • -W: Set the maximum number of output files
  • -x: Print the header data of each packet in hexadecimal form, but do not include the data link layer header
  • -xx: Print the header data of each packet in hexadecimal form, including the data link layer header
  • -X: Display output in ASCII format, but does not include the data link layer header
  • -XX: Display output in ASCII format and include the data link layer header
  • -y: Only capture packets whose data link layer protocol type is datalinktype

4. Common capture methods of Tcpdump  

(1) Default startup

tcpdump monitors all packets flowing through the system's first network interface.

tcpdump
  • 1.

(2) Capture network card eth0

Capture all packets on the network card eth0

tcpdump -i eth0
  • 1.

(3) Capture the specified MAC

Capture the data packet on the ath10 interface containing the MAC address 11:22:33:44:55:66 and save it as ath10.pcap in the current directory:

tcpdump –i ath10 –w ath10.pcapetherhost 11:22:33:44:55:66
  • 1.

Capture the data packet with source MAC address 11:22:33:44:55:66 on the ath10 interface and save it as ath10.pcap in the current directory:

tcpdump –i ath10 –w ath10.pcapethersrc 11:22:33:44:55:66
  • 1.

Capture the data packet with the destination MAC address 11:22:33:44:55:66 on the ath10 interface and save it as ath10.pcap in the current directory:

tcpdump –i ath10 –w ath10.pcapetherdst 11:22:33:44:55:66
  • 1.

(4) Capture the specified host

Capture all packets with IP 192.168.168.2 on the eth0 network card:

tcpdump -i eth0 -nn 'host 192.168.1.2'
  • 1.

Capture all packets with source IP 192.168.168.2 on the eth0 network card:

tcpdump -i eth0 -nn 'src host 192.168.1.2'
  • 1.

Capture all packets with destination IP 192.168.168.2 on the eth0 network card:

tcpdump -i eth0 -nn 'dst host 192.168.1.2'
  • 1.

(5) Capture the specified port

Capture all packets with port number 80 on the eth0 network card:

tcpdump -i eth0 -nnA 'port 80'
  • 1.

(6) Capture the specified host and port

Capture all packets with IP 192.168.1.2 and port 80 on the eth0 network card

tcpdump -i eth0 -nnA 'port 80 and src host 192.168.1.2'
  • 1.

(7) Capture all ports except a certain port

To exclude a port or host, you can use the "!" symbol. The above example means monitoring data packets on ports other than port 22.

tcpdump -i eth0 -nnA '!port 22'
  • 1.

(8) Protocol filtering

Can filter ip6, arp, icmp, tcp, udp, igmp and other protocols:

tcpdump –i ath10 –w ath10.pcaptcpandetherhost 88:bf:e4:fc:26:19
  • 1.

This command captures the TCP data packets on the ath10 interface that contain the MAC address 88:bf:e4:fc:26:19 and saves them in the ath10.pcap file.

(9) Combined filtering

Filtering rules can be combined using logical operators. Note that the protocol pre-filtering rules should be placed first.

tcpdump –i eth0 –w eth0.pcaptcpandsrc ‘(192.168.96.54or 192.168.96.7)’
  • 1.

This command captures TCP packets with source addresses 192.168.96.54 and 192.168.96.7 on the eth0 interface and saves them in the eth0.pcap file. Note: The parentheses () must be used with the escape character '.

(10) Rolling storage of sub-files (suitable for long-term monitoring)

tcpdump -i eth0 -C 100 -W 10 -w daily_%Y%m%d.pcap
注释:每个文件 100MB,最多保留 10 个文件,自动按日期命名。
  • 1.
  • 2.

(11) Capture data packets of specified length (save space)

tcpdump -i eth0 -s 200  # 只抓前200字节
  • 1.

(12) Combined with regular expression filtering

tcpdump -i eth0 -A 'tcp[20:2] > 1000'  # 抓取TCP窗口大于1000的包
  • 1.

5. Notes

1. Data decoding optimization  

The data packets directly output by tcpdump are mostly in hexadecimal format, which is not conducive to analysis. Best practice: Use the -w parameter to save the captured packets as a pcap file:  

tcpdump -i eth0 -w traffic.pcap
  • 1.

- Use a tool like Wireshark to open the file for decoding and analysis, rather than viewing the raw output directly.  

2. Process Residual Processing  

After pressing Ctrl+C/Z to end packet capture, there may be residual processes causing abnormal memory usage. Solution:  

- Check for residual processes:  

ps | grep tcpdump
  • 1.

- Forcefully terminate all processes:  

killall tcpdump
  • 1.

3. Document Management Strategy  

Storing pcap files for a long time will take up disk space. Cleaning method:  

- View file list and size:  

ls -la | grep pcap
  • 1.

- Delete the specified file (replace xxx with the file name):  

rm xxx.pcap