Skip to main content

6 options for tcpdump you need to know

Six more tcpdump command options to simplify and filter your packet captures.
Image
6 more tcpdump command options
Image by Free-Photos from Pixabay

This article is part two in a series covering the great tcpdump utility. You can use this utility to capture network traffic for troubleshooting and analysis (and eavesdropping). Here in part two, I demonstrate capturing and viewing data.

7. Option -r

If you made it this far and wrote a pcap file, you know you can’t use a simple text editor to read the file contents. Hence, you should use -r file.pcap. It reads existing capture files and prints them as an output.

# tcpdump -r dns.pcap
reading from file dns.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
dropped privs to tcpdump
20:33:45.240421 wlp0s20f3 Out IP kkulkarni.attlocal.net.37376 > dsldevice.attlocal.net.domain: 8860+ PTR? 89.1.168.192.in-addr.arpa. (43)
20:33:45.250107 wlp0s20f3 In  IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.37376: 8860* 1/0/0 PTR kkulkarni.attlocal.net. (79)
20:33:45.253418 wlp0s20f3 Out IP kkulkarni.attlocal.net.54366 > dsldevice.attlocal.net.domain: 23092+ PTR? 1.112.168.192.in-addr.arpa. (44)
20:33:45.260212 wlp0s20f3 In  IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.54366: 23092 NXDomain* 0/0/0 (44)

[ You might also enjoy: Enumerating a new network with Nmap ]

8. The host option

If you want to filter traffic for a particular host, you can use host ip or host name to capture packets for a specific host.

# tcpdump host redhat.com -i any -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:40:03.331999 tun0  Out IP kkulkarni > 10.4.204.55: ICMP echo request, id 3, seq 1, length 64
20:40:03.407110 tun0  In  IP 10.4.204.55 > kkulkarni: ICMP echo reply, id 3, seq 1, length 64
20:40:03.474267 tun0  Out IP kkulkarni.43846 > 10.4.204.55.hostmon: Flags [S], seq 708429466, win 64680, options [mss 1320,sackOK,TS val 2091589339 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
20:40:03.474377 tun0  Out IP kkulkarni.43848 > 10.4.204.55.hostmon: Flags [S], seq 1993455236, win 64680, options [mss 1320,sackOK,TS val 2091589340 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
4 packets captured
54 packets received by filter
0 packets dropped by kernel

You may use src or dst keywords to tell tcpdump if the packets captured should contain the host in the source or destination address, e.g., you can try to run tcpdump -i any src host localhost or tcpdump -i any dst host redhat.com

9. Logical operators

tcpdump supports and/or/not operators as keywords, e.g., tcpdump -i eth0 “host redhat.com and (port 80 or port 443)”. It is wise to use quotes around compound expressions so that bash doesn’t try to interpret parenthesis.

# tcpdump -i any "host redhat.com and (port 22 or port 443)"
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:47:07.210126 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [S], seq 2898988806, win 64680, options [mss 1320,sackOK,TS val 2092013075 ecr 0,nop,wscale 7], length 0
20:47:07.309977 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [S.], seq 3757049161, ack 2898988807, win 3960, options [mss 1320,nop,wscale 2,nop,nop,TS val 2416723958 ecr 2092013075,sackOK,eol], length 0
20:47:07.310082 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1, win 506, options [nop,nop,TS val 2092013175 ecr 2416723958], length 0
20:47:07.336927 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 1:518, ack 1, win 506, options [nop,nop,TS val 2092013202 ecr 2416723958], length 517
20:47:07.430495 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 518, win 1119, options [nop,nop,TS val 2416724085 ecr 2092013202], length 0
20:47:07.439951 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1:1309, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.439995 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1309, win 502, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440032 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1309:2617, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.440051 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 2617, win 494, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440070 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 2617:3455, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 838
20:47:07.440084 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3455, win 488, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.442272 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 518:644, ack 3455, win 502, options [nop,nop,TS val 2092013307 ecr 2416724087], length 126
20:47:07.540457 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 644, win 1150, options [nop,nop,TS val 2416724191 ecr 2092013307], length 0
20:47:07.540516 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3455:3506, ack 644, win 1150, options [nop,nop,TS val 2416724192 ecr 2092013307], length 51
20:47:07.540549 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 0
20:47:07.541003 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 644:747, ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 103
20:47:07.642712 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 747, win 1176, options [nop,nop,TS val 2416724288 ecr 2092013406], length 0
20:47:07.642759 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3506:3664, ack 747, win 1176, options [nop,nop,TS val 2416724289 ecr 2092013406], length 158
20:47:07.642815 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 0
20:47:07.643276 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 747:778, ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 31
20:47:07.645016 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [F.], seq 778, ack 3664, win 502, options [nop,nop,TS val 2092013510 ecr 2416724289], length 0
20:47:07.740205 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740283 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [F.], seq 3664, ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740328 tun0  Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3665, win 502, options [nop,nop,TS val 2092013606 ecr 2416724391], length 0
20:47:07.740358 tun0  In  IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 779, win 1184, options [nop,nop,TS val 2416724392 ecr 2092013510], length 0

20:47:22.662001 tun0  Out IP kkulkarni.46274 > 10.4.204.55.ssh: Flags [S], seq 401723346, win 64680, options [mss 1320,sackOK,TS val 2092028527 ecr 0,nop,wscale 7], length 0
20:47:22.745682 tun0  In  IP 10.4.204.55.ssh > kkulkarni.46274: Flags [R.], seq 0, ack 401723347, win 0, length 0

10. Keyword net

The net keyword can be used to specify what network to capture on by using CIDR notation. You could use src and dst network CIDRs with a logical operator and filter packages more precisely.

# tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 10.0.0.0/8" -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:49:05.299091 wlp0s20f3 B   IP 192.168.1.76.49154 > 255.255.255.255.ircu-3: UDP, length 188
20:49:05.300437 wlp0s20f3 Out IP 192.168.1.89.36676 > 18.211.133.65.https: Flags [.], ack 493003385, win 2033, options [nop,nop,TS val 2037223284 ecr 885784861], length 0
20:49:06.238513 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
20:49:06.238603 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
4 packets captured
5 packets received by filter
0 packets dropped by kernel

11. Keyword ether

Filters can be applied using the ether host keyword to restrict traffic capture to a MAC address. Use the -e to print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11. The example below captures the Layer 2 broadcast traffic:

# tcpdump ether host ff:ff:ff:ff:ff:ff -i wlp0s20f3 -e -c4
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:56:35.965137 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
20:56:36.886722 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
20:56:37.808286 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
20:56:39.958693 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
    0x0000:  1211 0000 0043 c76d 1204 8629 6fdb 3304  .....C.m...)o.3.
    0x0010:  6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a  o.Z<..?Xm...H...
    0x0020:  2fca 9a26 0fb3 0000 0201 8003 06cc ab2c  /..&...........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 0844 1e7f 903a 6871 54              ...D...:hqT
4 packets captured
4 packets received by filter
0 packets dropped by kernel

12. Keyword ip6

IPv6 Traffic can be captured using the ip6 keyword. Here is an example:

# tcpdump -i any ip6 host google.com -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:00:22.825749 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 1, length 64
21:00:22.863347 wlp0s20f3 In  IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 1, length 64
21:00:23.827332 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 2, length 64
21:00:23.864202 wlp0s20f3 In  IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 2, length 64
4 packets captured
7 packets received by filter
0 packets dropped by kernel

[ A free guide from Red Hat: 5 steps to automate your business. ] 

Wrap up

Here in part two, you learned six new options for managing packet captures on the network using tcpdump. This article builds on the information covered in part one. In the final installment, you'll see six more flags that help filter tcpdump results.

Author’s photo

Kedar Vijay Kulkarni

Kedar is a Senior Software Engineer at Red Hat working with Red Hat OpenShift Networking focusing on functionality, performance, and scaling of Software Defined Networking, primarily with Open Virtual Network Kubernetes (OVN-K8s) plugin. More about me

Try Red Hat Enterprise Linux

Download it at no charge from the Red Hat Developer program.