Mastering Tcpdump: From Installation to Advanced Packet Capture Commands

0x01 Introduction to Tcpdump

Tcpdump is a command‑line packet sniffer that intercepts and displays TCP/IP and other packets transmitted to or from the host. It is free software released under the BSD license.

It is a powerful network security analysis tool that can save captured packets to a file for later analysis, allowing users to define filter rules to capture only interested packets, reducing output size and processing time.

Tcpdump runs on most Unix‑like operating systems, including Linux, Solaris, BSD, macOS, HP‑UX, AIX, etc., and relies on the libpcap library; the Windows version is WinDump, which requires the WinPcap driver.

0x02 Uses of Tcpdump

Tcpdump can analyze network behavior, performance, and application traffic. It supports filtering by layer, protocol, host, network, or port, and provides logical operators (and, or, not) to eliminate irrelevant information, helping users pinpoint the root cause of problems.

It can also be used for specific purposes, such as intercepting and displaying communications between routers and gateways, analyzing unencrypted traffic (e.g., Telnet or HTTP) to view usernames, passwords, URLs, and page contents, thereby exposing security risks on the network.

Many users employ the Berkeley Packet Filter (BPF) to limit the number of packets generated by tcpdump, reducing CPU load and buffer usage, and decreasing packet loss.

Note: This article only covers basic usage; tcpdump is far more powerful than described here.

0x03 Installing Tcpdump

Prepare the environment before compiling the source.

Download libpcap and tcpdump from http://www.tcpdump.org/ .

Install the C compilation packages: apt-get install build-essential Install libpcap prerequisites: apt-get install flex,apt-get install bison Install libpcap: tar xvfz libpcap-1.7.3.tar.gz then run:

Install tcpdump: tar xvfz tcpdump-4.7.4.tar.gz then run:

Test the installation by running tcpdump and verifying that network information is displayed.

Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
        [ -Q in|out|inout ]
        [ -r file ] [ -s snaplen ] [ --time‑stamp‑precision precision ]
        [ -T type ] [ --version ] [ -V file ]
        [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
        [ -Z user ] [ expression ]

0x04 Detailed Tcpdump Options

-A  Display each packet in ASCII (no link‑layer header). Useful for web page data.
-c  Stop after receiving count packets.
-C  Rotate output files when they exceed file‑size.
-d  Print the compiled packet‑matching code in a human‑readable form.
-dd Print the matching code in C.
-ddd Print the matching code in decimal.
-D  List all interfaces tcpdump can capture on.
-e  Include link‑layer header in each line of output.
-E  Decrypt IPsec ESP packets (spi@ipaddr algo:secret).
-f  Show foreign IPv4 addresses numerically.
-F  Read filter expression from a file.
-i  Specify the interface to listen on (default: first non‑loopback).
-l  Line‑buffered output.
-L  List supported data‑link types for an interface and exit.
-m  Load an SMI MIB module.
-M  Specify a secret for MD5 authentication.
-n  Do not resolve addresses to names.
-N  Do not print domain part of host names.
-O  Disable optimization of the packet‑matching code.
-p  Put the interface in non‑promiscuous mode.
-q  Quiet output (minimal protocol info).
-R  Parse ESP/AH packets according to RFC1825.
-r  Read packets from a file.
-S  Print absolute TCP sequence numbers.
-s  Set snaplen (default 68 bytes).
-T  Force interpretation of packets as a specific protocol type.
-t  Omit timestamps.
-tt  Print timestamps as raw seconds since epoch.
-ttt Print a millisecond delay between lines.
-tttt Print date and time before each timestamp.
-u  Print unencrypted NFS file handles.
-U  Write captured packets to file synchronously.
-v  Verbose output.
-vv Very verbose.
-vvv Extremely verbose.
-w  Write raw packets to a file.
-W  Set the number of files to use with -C.
-x  Print packet headers and data in hex.
-xx Print packet headers and data in hex, including link‑layer header.
-X  Print packet headers and data in hex and ASCII.
-XX Print packet headers and data in hex, ASCII, and link‑layer header.
-y  Set datalink type to capture.
-Z  Drop privileges to the specified user.

0x05 Tcpdump Expression Details

The expression determines which packets are printed.
If no expression is given, all captured packets are printed; otherwise only packets matching the expression are shown.
An expression consists of one or more primitives, each optionally preceded by qualifiers (type, dir, proto).
type qualifiers: host, net, port, portrange.
dir qualifiers: src, dst, src or dst, src and dst.
proto qualifiers: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, udp.
Primitives can be combined with and, or, not to form complex filters, e.g., "host foo and not port ftp".

0x06 Common Tcpdump Command Examples

Default start

tcpdump

Runs tcpdump on the first network interface, displaying all packets.

Capture on eth0

tcpdump -i eth0

Captures packets on interface eth0; output can be redirected to a file for easier analysis.

Capture a specific host

tcpdump -i eth0 -nn 'host 192.168.168.2'

Shows both incoming and outgoing packets for the host. tcpdump -i eth0 -nn 'src host 192.168.168.2' Captures only packets sent by the host. tcpdump -i eth0 -nn 'dst host 192.168.168.2' Captures only packets received by the host.

Capture a specific port

tcpdump -i eth0 -nnA 'port 80'

Monitors all traffic on port 80, useful for web development.

Capture a host and port

tcpdump -i eth0 -nnA 'port 80 and src host 192.168.168.2'

Filters packets sent from the host through port 80.

Exclude a port

tcpdump -i eth0 -nnA '!port 22'

Captures all traffic except that on port 22.

Capture specific IP and port

tcpdump host 192.168.168.2 and tcp port 8000

Write captured data to a file

tcpdump -X -s 0 -w A.cap host 192.168.168.2 and tcp port 8000

Saves the displayed output to A.cap.

Read from a capture file

tcpdump -X -s 0 -r test.cap host 192.168.168.2 and tcp port 8000

Capture HTTP packets

tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854

0x4745 corresponds to "GE" and 0x4854 to "HT".

0x07 Tcpdump and Wireshark

Wireshark (formerly Ethereal) is a user‑friendly packet capture tool for Windows, but comparable graphical tools are scarce on Linux.

Using tcpdump together with Wireshark provides a powerful combination: capture packets on Linux with tcpdump, then transfer the .cap file to Windows for detailed analysis with Wireshark.

tcpdump -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

Key options: -i selects interface, -t omits timestamps, -s 0 captures full packets, -c limits count, dst port ! 22 excludes SSH, src net limits source network, -w writes to a capture file.