tcpdump is an advanced command-line based packet sniffer. It is another one of those standard Unix utilities that really comes in handy when troubleshooting (it has greatly helped me many times) network issues and can teach you a good bit on how networking works.
tcpdump is installed on most Unix machines. If not, you can easily get it using the system’s package manager (i.e. up2date tcpdump, yum install tcpdump, or apt-get install tcpdump).
Also, you’ll probably need to be the root user when running tcpdump.
From the man page: “Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression.”
Here, we’ll go over some basic operations and brifly explain them.
The most simple operation is probably:
Where the i argument specifies the interface to listen on, which is in this case, eth0. This type of scan is very broad and basically says, “report all traffic passing though eth0.” So using tcpdump like this we can see everything on all ports going to or from our local machine on eth0.
That’s pretty nice but to make tcpdump really useful, we need more:
tcpdump -i eth0 host hostname.domain.com
With the above line, we can see the same traffic but filtered by host. In this case we’d be seeing traffic to and from hostname.domain.com on all ports of eth0. You can use IP addresses instead of host names as well.
But what if we’re only interested in one port? Then:
tcpdump -i eth0 host hostname.domain.com and port 21
tcpdump eth0 host hostname.domain.com and port ftp
But what if we’re interested in all ports except one port?! Then:
tcpdump -i eth0 host hostname.domain.com not port 22
The above line might be useful if you are ssh’d into a machine you want to see traffic on — the ssh traffic would really muddy the output unless you filtered it out.
You can also get even more fine-grained and fancy by doing something like
tcpdump -i eth0 host src hostname.domain.com and dst host2.domain.com and port 21
As you probably guessed, src means observe data sent from the specified node and dst means observe data recieved by the specified node.
In troubleshooting, it’s often helpful to see the link-level headers, which includes MAC addresses of those in on the conversation (-e argument). I usually also put the verbosity at -v or -vv (even more verbosity for the -vv option). So a line with those options might look like this:
tcpdump -vv -e -i eth0 host hostname.domain.com
Sometimes, you will need to save the output of tcpdump to a file. This is easy since you can do all the usual Unix operations with tcpdump:
tcpdump -i eth0 host hostname.domain.com > filename
You can use grep as well:
tcpdump -i eth0 host hostname.domain.com | grep expression > filename
Using the -w argument is another way of writing output to a file.
Hopefully that is a good start. There are many more options and uses for this outstanding networking staple. Experiment and check the man page to see lots of other really cool stuff.
The tcpdump man page and http://www.hep.ucl.ac.uk/~ytl/monitoring/tcpdump_01.html were used as reference for writing this article.
Note: tcpdump only displays information about packets and traffic and packet headers. To see packet payloads, try tcpflow or wireshark.