How to Capture Network Traffic in Linux With tcpdump

How to Capture Network Traffic in Linux With tcpdump

A networking tool called tcpdump is used to record both incoming and outgoing information. Here is all the information you need to use Linux With tcpdump.

There are many different networking tools available with Linux. If you need to diagnose network issues on Linux, tcpdump is one such potent networking tool that can record and analyze network data.

Let’s see how to utilize the tcpdump command in practice to record network data.

Linux tcpdump installation

The majority of popular Linux distributions and security-based alternatives come with tcpdump pre-installed. Thus, entering tcpdump with a sudo prefix should enable you to use it immediately.

Let’s learn how to install tcpdump on your Linux computer in case you are having trouble running the tcpdump command and getting stop at the “tcpdump: command not found” problem.

Open a terminal and enter the command appropriate to your current Linux distribution to install tcpdump:

Run: on Debian/Ubuntu derivatives.

sudo apt-get install tcpdump

On Arch-based systems, run:

sudo pacman -S tcpdump

Issue the following command to install the tcpdump program on Fedora, CentOS, and RHEL:

sudo dnf install tcpdump

Keep in mind that if you’re prompt to install libcap, type Yes or Y because it is a must for tcpdump to function and will not start up without it. The tcpdump software should now install, and the “command not found” problem should fix.

Now that tcpdump has install on your computer, let’s look at the many features and settings it provides.

TCP Dump Network Traffic Capture

Tcpdump provides a variety of options to customize its operation, but it may also used as a solo command. Running tcpdump without any flags or arguments, however, would be underutilizing it. The execution and output may always adjusted as needed by using a few flags.

To use tcpdump to track network traffic, use the following command:

sudo tcpdump

Tcpdump will now begin automatically capturing network packets up until a manual interrupt is trigger by pressing Ctrl + Z. Use the -c option and provide the desired limit of packets next to it to restrict the total amount of packets captured:

sudo tcpdump -c 5
Linux With tcpdump

If you’re having trouble understanding the output right now, you should first become familiar with the tcpdump output format.

Using tcpdump, check the available network interfaces.

Tcpdump by default records traffic from all accessible network interfaces. You may wish to specify the network interface from which tcpdump should capture packets if you have many active network interfaces in operation. You must first understand the name of the interface in order to launch tcpdump on a particular interface.

Here’s how to use tcpdump to list every network interface that is accessible:

sudo tcpdump -D

Or, you may modify the command by adding the —list-interfaces flag:

sudo tcpdump --list-interfaces
Linux With tcpdump

A list of all the active network interfaces that tcpdump can listen to is include in the output that was delivered. Enter the following command to set up tcpdump to record communications from a specific network interface:

sudo tcpdump -i interface_id

Or, you may modify the command by adding the —interface flag:

sudo tcpdump --interface interface_id

Now that we have successfully collected a few packets, let’s examine them carefully and discover ways to improve the output so that it is easier to understand.

Looking at tcpdump Filters

Tcpdump has the capacity to record a staggering quantity of traffic in a single run. When examining or troubleshooting problems with a particular host or network protocol, such information overload might make you lose focus.

The tcpdump filters are useful in this situation. To filter the network traffic and capture particular packets, append the tcpdump command with a set of flags. After that, you may save those packets and subsequently examine them to discover the source of any network-related issues. Let’s explore tcpdump’s filtering capabilities.

Filter Packets Depending on the Active Network Protocol

The tcpdump command will only record packets flowing over the specified network protocol if the protocol name is there. This allows you to filter out packets sent via a particular protocol.

For instance, you would simply add icmp to the end of the tcpdump command to capture ICMP-based packets. The steps are the same whether you want to just collect UDP or TCP packets.

sudo tcpdump -c 5 icmp

Only when there is an ICMP data exchange will this command report its results.

Linux With tcpdump

Packet Filtering Using the Host

Using the host argument, you may set up tcpdump to collect packets that are exclusive to one host. This is especially helpful if all but one of your network’s systems are operating. Since you aren’t distract by pointless data, this filter enables you to conduct targeted research and accelerates the whole troubleshooting procedure.

Use the host argument to specify the host’s network address in order to capture packets associated with that host:

sudo tcpdump -c 5 host

This command will only output whether any ongoing communication is associate with the specified host, much like the network protocol filter.

Linux With tcpdump

Packet Filters Tcpdump has an option based on the Active Port that enables you to filter network traffic and only record packets that are send to or from a certain port.

Add the port flag and the port number to the tcpdump command in order to collect packets arriving from a particular port. For example, define port 80 to record all incoming and outgoing HTTP traffic:

sudo tcpdump -c 5 port 80

On port 80, tcpdump will be listening for HTTP communications. It will begin to collect HTTP packets as soon as it finds them in the network.

Linux With tcpdump

Utilize Multiple Filters for Advanced Sorting

What if you just wanted to record traffic from a single port on a certain host using a particular network protocol? The filtering of traffic based on port, protocol, or host was cover in earlier sections. You’re in luck, though, because using logical operators with the tcpdump command makes this feasible.

Use the following command to capture packets coming from a specific host using port 443:

sudo tcpdump -c 5 host and port 443
Linux With tcpdump

Examine the Information in Captured Packets

The output of tcpdump by default shows a packet’s headers. While it usually suffices, there are situations when you might want or need to go a little further into the data that was collected. The tcpdump tool allows you to specify specific arguments to examine the captured package’s content.

How to inspect the packets’ contents is as follows:

sudo tcpdump -c 5 -x
Captured Packets

This command returns the content of a recorded packet in hexadecimal form. You may use the -A argument with the following values if you want to display the data in ASCII form:

sudo tcpdump -A
Captured Packets

File the output of tcpdump

Like practically every other Linux command-line tool, tcpdump allows you to save its output to a file that may later be accessed.

The -w option can be added to the command to do this. When tcpdump is run, the data it has collected is saved in a.pcap file that may subsequently be examined using tcpdump or other network monitoring software like Wireshark.

To save the output of your tcpdump command into a file, enter the following command:

sudo tcpdump -w capture.pcap

You may use tcpdump with the -r argument to read a.pcap file:

sudo tcpdump -r capture.pcap

The Best Linux Networking Tools

As long as the problem is software-related, Linux comes with a ton of networking tools that can fix any network issue. Whether you’re a sysadmin managing networks for a job or simply a regular Linux user, knowing how to utilize a handful of the greatest networking tools in Linux can come in useful.

Here is a list of some of the most crucial Linux networking tools that you should be familiar with because the whole number of available networking commands might be difficult to comprehend.

Frequently Asked Questions

1. How is network traffic captured by tcpdump?

The tcpdump command will only record packets flowing over the specified network protocol if the protocol name is given. This allows you to filter out packets sent via a particular protocol. For instance, you would simply add icmp to the end of the tcpdump command to capture ICMP-based packets. Hope the answer is there.

2. How do I view all network activity?

Enter your router’s IP address into a web browser to access it. Look for a Status section on the router when you log in (you might even have a Bandwidth or Network Monitor section depending on the type of router). You ought should be able to view the IP addresses of the devices linked to your network from there.

3. Does tcpdump record traffic before a firewall?

Tcpdump provides a simple technique to identify where traffic is and isn’t whenever there is a suspicion that network communication is not getting from one server to another. Tcpdump runs at the highest level of networking, allowing it to see traffic before it reaches firewalls and other security measures.

Leave a Reply

Your email address will not be published. Required fields are marked *