Tcpdump Fundamentals
Introduction to Tcpdump
Tcpdump is a command-line packet sniffer that captures and interprets data frames from network interfaces. Available on Unix-based systems, Tcpdump can capture packets from the network "off the wire" and is widely used for traffic analysis, troubleshooting, and forensic purposes. It requires root privileges to access hardware and run effectively, typically via sudo. Windows users can use WinDump or run a Linux distribution in WSL to leverage Tcpdump on Windows.
Basic Capture Options
Tcpdump provides many switches to modify captures. Here are key options:
-D
Display available interfaces.
-i
Select an interface to capture from, e.g., -i eth0.
-n
Do not resolve hostnames.
-nn
Do not resolve hostnames or port names.
-e
Include Ethernet header in the output.
-X
Show packet contents in hex and ASCII.
-v, -vv, -vvv
Increase verbosity level.
-c
Capture a specific number of packets then exit.
-s
Specify the packet capture length.
-S
Show absolute sequence numbers.
-q
Print minimal protocol info.
-r
Read from a file.
-w
Write to a file.
Display Available Interfaces
sudo tcpdump -DCapture Traffic on a Specific Interface
Disable Host and Port Resolution
Include Ethernet Header in Capture
Show Hex and ASCII Output
Combine Multiple Options
Tcpdump Output Breakdown
Tcpdump output can include various fields:
Timestamp
Shows time of capture.
Protocol
Upper-layer protocol (e.g., IP).
Source & Destination IP/Port
Shows the connection path and ports.
Flags
Displays any TCP flags used.
Sequence & Ack Numbers
Used to track TCP segments.
Protocol Options
TCP options like window size, SACK, etc.
File Input/Output with Tcpdump
Save Captures to a File
Read Captures from a File
To increase detail when reading from a file, add relevant switches.
Advanced Tcpdump Use
Tcpdump can act as a basic IDS by using filters in a script to detect specific patterns, such as repeated ICMP requests from a single IP, and can then trigger automated responses.
Last updated