tcpdump is a packet sniffing command line tool to capture TCP/IP packets that are received or transmitted on a specific interface. This tool has been used widely for troubleshooting purpose, as well as for security assessments. The output of tcpdump command can be viewed using free wireshark tool.
| tcpdump cli options | Description |
|---|---|
| tcpdump -i 2.1 | To view the traffic on a single specific interface. |
| tcpdump -i internal | To view the traffic on a specific VLAN called internal. |
| tcpdump -i eth0 | To view the traffic on the management interface. |
| tcpdump -i 0.0 | To view the traffic on all interfaces. It creates potentially large files, hence use filters to limit the size of files. |
| tcpdump -ni | By default, tcpdump attempts to resolve names for IP address, and wait for response from DNS Server, so this process can be time consuming. To disable name resolution, use -n flag |
| tcpdump -w | tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C |
| tcpdump -s0 | To specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero). |
| tcpdump filters | Description |
|---|---|
| tcpdump host 10.90.100.1 | To view all packets that are traveling to or from a specific IP address. |
| tcpdump src host 10.90.100.1 | To view all packets that are traveling from a specific IP address. |
| tcpdump dst host 10.90.100.1 | To view all packets that are traveling to a particular IP address. |
| tcpdump port 80 | To view all packets that are either sourced from or destined to a specific port. |
| tcpdump src port 80 | To view all packets that are sourced from a specific port. |
| tcpdump dst port 80 | To view all packets that are destined to a specific port. |
The above commands can be combined as below
tcpdump src host 172.16.101.20 and dst host 10.90.100.1
tcpdump -ni 0.0.nnn -s0 -w /var/tmp/capjun2018.dmp
If you are troubleshooting a case with F5 appliance, you must also know about capturing extended TMM data with tcpdump, click this link to read the article.
tcpdump -i <interface>:<noise amplitude> køb cialis
The noise amplitude defines the level of TMM details included in the packet capture. The following noise levels may be captured:
n: Low details
nn: Low and medium details
nnn: Low, medium, and high details
