Home

1 minute read

A Quick Guide to Using tcpdump

Tony Lea

A Quick Guide to Using tcpdump

The tcpdump command can be used to check for incoming and outgoing TCP traffic on your server. You can check if you have tcpdump installed by running the following command:

which tcpdump

You should then see an output similar to:

/usr/sbin/tcpdump

Installing tcpdump

If you do not have tcpdump installed you can install it with the following commands.

sudo apt-get install tcpdump

On other operating systems you can run:

sudo yum install -y tcpdump

Now, you'll be able to use tcpdump to monitor TCP traffic.

How to run tcpdump

There are a few different ways that you can run TCP dump. To see all these ways you can run:

sudo tcpdump -D

And you'll see which interfaces you can run tcpdump with:

1.ens5 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)

You can learn more about these different interfaces by visiting the manual page and running:

man tcpdump

But for our use-case we are going to capture tcp packets on all interfaces, so we will use the any interface. 

Running tcpdump

To run a quick scan of tcp traffic happening on our server we can run:

sudo tcpdump -i any

The -i flag indicates the interface we want to use. Upon running this command you'll notice that you get a cluster dump of tcp packages scrolling across your screen and it may be hard to read each line, so we need to limit the number of lines we want to display. We can do that by using the -c flag like so:

sudo tcpdump -i any -c 5

Now, we are only shown the latest 5 packets and it will make it easier to try and read the lines.

Viewing IP Address from tcpdump

In order to view the IP address from each packet we need to include the -n flag:

sudo tcpdump -i any -c 5 -n

You'll see that the first IP address is sending a packet to another IP address denoted by the > character:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:19:08.279563 IP 157.245.236.251.22 > 64.113.21.172.53145: Flags [P.], seq 3639162972:3639163080, ack 745825761, win 315, options [nop,nop,TS val 3074559307 ecr 814982458], length 108
20:19:08.279601 IP 157.245.236.251.22 > 64.113.21.172.53145: Flags [P.], seq 108:144, ack 1, win 315, options [nop,nop,TS val 3074559307 ecr 814982458], length 36
20:19:08.279632 IP 157.245.236.251.22 > 64.113.21.172.53145: Flags [P.], seq 144:260, ack 1, win 315, options [nop,nop,TS val 3074559307 ecr 814982458], length 116
20:19:08.279656 IP 157.245.236.251.22 > 64.113.21.172.53145: Flags [P.], seq 260:296, ack 1, win 315, options [nop,nop,TS val 3074559307 ecr 814982458], length 36
20:19:08.279757 IP 157.245.236.251.22 > 64.113.21.172.53145: Flags [P.], seq 296:516, ack 1, win 315, options [nop,nop,TS val 3074559307 ecr 814982458], length 220
5 packets captured
9 packets received by filter
0 packets dropped by kernel
One of those IP addresses is most likely the IP address of the server you are working on. Now, you can see when a packet is being sent or received by your server.

Viewing tcpdump from a Port number

You may find it useful to track packets being sent over a specific port, which is super easy to accomplish:

sudo tcpdump -i any -c 5 port 25 -n

In the above example we are looking for any incoming or outgoing traffic from Port 25.

Conclusion

Using the tcpdump command is a great way to see incoming and outgoing packets to your server. It may also help when you are trying to debug a server issue and see if you are hitting the correct server when making a network request. There is so much more to learn about the tcpdump command. Be sure to checkout this video on tcp dump command to learn more: https://www.youtube.com/watch?v=hWc-ddF5g1I