What is tcpdump and what is it used for
tcpdump is a completely free tool that will allow us to capture all the network traffic from one or more interfaces, whether they are Ethernet, WiFi, PPPoE interfaces that we have built, and even virtual interfaces like the ones we create when using virtual private networks. This program is not only responsible for capturing all the traffic, but we can also analyze it in real time as it is captured, all through the command line.
tcpdump is supported on all Unix-based operating systems, including Linux, BSD, macOS, and many others. Of course, this program makes use of the libpcap library to capture all the packets that flow through an interface in question, be it physical or virtual. In order to run this program on the system, it is necessary to have superuser permissions, since we are capturing and viewing network traffic that could be “sensitive”, therefore, it is necessary to have administrator privileges.
The best thing that tcpdump has are the filters, we will be able to filter all the traffic to see only what interests us. Filters are expressions that go behind the capture options, and allow us to show only what we are looking for and not everything. If we do not put any filter, we will see all the network traffic of the selected network adapter.
The main uses that we can give to a tool like tcpdump are the following:
- Capture all the information and store it for later study.
- Debug real-time applications that use the network to communicate.
- Check that the network traffic is as expected taking into account its use.
- Capture and read the data from other computers on the network, although in this case we would have to use techniques such as ARP Spoofing or similar if we are in a switched environment and we are not using tcpdump on the router.
Once we have seen what tcpdump is and what it can be used for, we are going to install it on our Linux operating system to show you how it works.
Installation in Debian and main options
This program is widely used in all Linux-based operating systems, therefore, we will be able to install it directly from the official repositories of each distribution. In the case of Debian, we have to put the following command in the terminal:
sudo apt install tcpdump
We will get something like this:
Once we have it installed, we can execute the following command in the terminal to show us the help:
In the event that you need much more information about the tool, see examples of use and all the documentation, then you can access the man pages as follows:
In these man pages you will be able to see an extensive description of the tool, what syntax we must use, what options we have available to capture all the data and also to filter the information that we want.
This program has a large number of options to capture the data and also to display it, in addition, we have the possibility of adding a large number of advanced filters so that it shows us only what we want. Next, we are going to explain some basic commands so that you capture only what interests you.
The following command allows us to start the program, if we do not specify any network interface, the tool itself will choose one of those available in the operating system.
If we want to specify a network interface, you must put the following command:
tcpdump -i NOMBRE_INTERFAZ
If we want to specify all the network interfaces, to capture all the traffic from all of them at once, then you have to put the following command:
tcpdump -i any
When capturing network traffic with tcpdump, we may not be interested in resolving hostnames, but rather directly show us IP addresses. To do this, we can put:
If you want to capture only a certain number of packets, then you should put the following command:
tcpdump -c NUMERO_PAQUETES
If we want to increase the information that it shows us through the command line, we must increase the “verbose” in the following way:
tcpdump -i NOMBRE_INTERFAZ -v
If we want to increase it more, we will add more “v” after it, as follows:
tcpdump -i NOMBRE_INTERFAZ -vvv
This last command allows us to see as much verbose as possible.
If we want to save the capture in a file, to later open it with a packet analyzer such as WireShark, or for later analysis, we must put the following command:
tcpdump -i NOMBRE_INTERFAZ -w NOMBRE_ARCHIVO
Of course, if we want to save everything with the maximum verbose, we will put:
tcpdump -i NOMBRE_INTERFAZ -w NOMBRE_ARCHIVO
Capturing traffic by IP or subnet
tcpdump allows us to filter by IP addresses and even subnets, for this, we can put the following command:
tcpdump -i NOMBRE_INTERFAZ host IP
For example, we could see the traffic from the IP of localhost:
tcpdump -i NOMBRE_INTERFAZ host 127.0.0.1
We can also filter by subnets as follows:
tcpdump -i NOMBRE_INTERFAZ net SUBRED/X
Below you can see an example subnet:
tcpdump -i NOMBRE_INTERFAZ net 192.168.1.0/24
We could also filter by origin and destination, below, you can see two examples:
tcpdump -i NOMBRE_INTERFAZ src IP
tcpdump -i NOMBRE_INTERFAZ dst IP
With these options, we can easily filter the traffic that we only want to capture and display.
Capturing traffic by port and ranges
In case you want to filter by ports, either a single port or a range of ports, you can do it in the following way:
tcpdump -i NOMBRE_INTERFAZ port NUMERO_PUERTO
tcpdump -i NOMBRE_INTERFAZ portrange PUERTOINICIO PUERTOFIN
All of these commands can also be added to tcpdump to filter by IP and ports, and even save the entire traffic capture to a pcap file. In this way, we can concatenate the different options available with the filters that we have defined.
tcpdump is the quintessential tool for capturing packets from the local network with the interfaces that we want, thanks to this program, we will be able to view all network traffic at a low level through the console, and we can also save the captures of traffic on our hard drive or SSD whenever we want. Thanks to the large number of configuration options and filters, we will be able to capture only what interests us, for later analysis with programs like Wireshark or directly at a low level with tshark or similar.
If you have problems at the network level in your local network or server, tcpdump will help you to know what traffic is going through the entire network or the server in question, and later study in detail what is happening and how we can solve it. Capturing network traffic is the first step in order to fix a problem at the network level, and in this case, tcpdump will be your best ally to solve all problems.