Capture Network Traffic With TCPDUMP

Posted on by tcpdump-it.com

What is tcpdump?

In the manpage the entry sentence of the description describes it in good words … Tcpdump prints out a description of the contents of packets on a network interface…”
It will help you to capture each network in-going and out-going packet on your interface and display it directly on your command line or save it to a file for further analysis with Wireshark.

Tcpdump command allows you to set a “capture filter” to be able to save only packets which are interested for you.
You want to get a first feeling about capture filter, refer to Introduction to Wireshark – Part 2.

How can I capture network traffic with tcpdump?

First of all you need tcpdump installed on your Linux instance if not already available.
You can install tcpdump with the command (requirement root permissions): yum install tcpdump

After the installation you should be able to find tcpdump at following location: /usr/sbin/tcpdump

There are now two ways to capture network traffic:

  1. Capture network traffic and show it directly on the command line
    Use the following command to show your network traffic for interface eth0: /usr/sbin/tcpdump -i eth0 -vvv
  2. Capture network traffic and save it to a file
    Use the following command to save your network traffic for interface eth0 to a file called tcpdump.pcap in folder /tmp/: /usr/sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap

tcpdump1

There is an additional option you can set which is important to know: “-s”  bytes of data from each packet.
If you don’t specify the -s option it will capture the default size (262144 bytes). Sometimes to save file space you can choose to capture only the first bytes of a packet.

Other examples to capture network traffic:

  • Use the following command to save your network traffic for interface eth0 to a file called tcpdump.pcap in folder /tmp/ and capture only packets related to IP address 10.1.2.3: /usr/sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap host 10.1.2.3

Script

You can also use the tcpdump command within a script. I created a script to help you capturing network traffic:
https://github.com/DanielSchwartz1/tcpdump

tcpdump2

Summary

I already mentioned it on my other pages:
Daily (even hourly) I use sentences like “let’s take a tcpdump…” or “I think the best way to start attacking that problem is with a tcpdump…“.
It has been very helpful in my career and usually it always leads to the right path of the problem.

Check also my article “Schedule TCPDUMP with CRON”.

If you want to know more about it, join my Slack Workspace or send me an email.
Stay up-to-date and subscribe to my Newsletter!

1 thought on “Capture Network Traffic With TCPDUMP

  1. Pingback: Schedule TCPDUMP with CRON » Daniel Schwartz

Leave a Reply

Your email address will not be published. Required fields are marked *