TCPDump useful examples for day to day tasks for RHEL/CentOS.

In this article we will look for tcpdump examples which are useful to accomplish our day to day tasks.

Lets have a look at various examples step by step.

1. Collecting tcpdump for all packets coming on server.
Always mention “-w output filename” to save the output.

[root@ngelinux01 log]# tcpdump -w testfile.pcap
tcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@ngelinux01 log]#

OR, it is advised to use any if there are multiple IP interfaces.
# tcpdump -i any -w test1.pcap

 

2. Collecting tcpdump for a specific interface.

[root@ngelinux01 log]# tcpdump -i virbr0 -s0 -w test.pcap
tcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

Here we have used two other options:
a. “-i” to mention the interface name, it is usually eth0/or ethX.
b. “-s” to mention the snap length of the captured packets should be same, instead of default 65535.
It helps for better analysis of captured traffic.

 

3. Capture all ICMP packets

[root@ngelinux01 log]# tcpdump -n icmp -w testfile.pcap
tcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

 

4. Capture all emails sent from the server.

[root@ngelinux01 log]# tcpdump -nn -l port 25 -w testfile1.pcap
tcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 65535 bytes

“-nn” will not convert port number to names.
“-l port 25” will look for packets using SMB protocol at port 25.

 

5. Collect all packets from our server sent on destination port 2049.

[root@ngelinux01 log]# tcpdump dst port 2049
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 

6. Capture traffic coming from a specific host and port number.
This command captures all packets where host “192.168.1.3” is there and which is sent on 2049 port.

# tcpdump -i eth0 host 192.168.1.3 and port 2049 -n -s 0 -vvv -w test1.pcap

 

7. Mention source server name while capturing the packets

[root@host-1-193 ~]# tcpdump -i any -c5 -nn src 192.168.12.32
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

 

8. Reading pcap binary file using tcpdump command

# tcpdump -nn -r test1.pcap

pcap file is a binary file and we can’t read it directly.
To read it, we need to download and analyze it using some tool like wireshark.

However if we want to read it over console, we can use tcpdump command “-r” option.

To know what all interfaces available on system to capture packets.
[root@ngelinux01 ~]# tcpdump -D
1.virbr0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.ens3
6.any (Pseudo-device that captures on all interfaces)
7.lo
[root@ngelinux01 ~]#

Leave a Reply

Your email address will not be published.