TCPDump – Top 10 ways to Dump everything on the network

There is absolutely no doubt that TCPDump is the easiest way to identify traffic on any Unix or Linux host. It’s lightweight, easy and does not require a GUI. TCPDump provides power with simplicity in analyzing network traffic. I have been implementing SIEM and other log collection mechanisms, and TCPDump is the first-hand tool, that gives me visibility whether I am receiving data in my collection servers. Tcpdump is one of the best network analysis tools for information security professionals.

What is TCPDump

For those, who are new and don’t know about TCPDump, it is a handy tool for verifying network packets on a Linux box. You can view information about traffic coming and going from a given network interface using TCPDump. This diagnostic tool allows you to see packet information, that is where incoming packets come from and where outgoing packets are heading to on an interface, with some extra information. You can even save the output to a file to inspect later on.

Here is how you can get TCPDump on your Linux box

Ubuntu

apt install tcpdump

CentOS / RedHat

yum install tcpdump

TCPDump – Dump everything on the network

Let us start understanding some examples that you are likely to need during your job in networking, security, or as any type of Infrastructure requirements. Remember, you must change the name of the interface in below commands as, set on your Linux. You can fetch names of your network interfaces by just running:

ifconfig

TCPDump – See all the Traffic on an Interface

If you want to look at everything that is happening on your network interface, you can use the interface option. This will print all the traffic passing over your network.

tcpdump -i <interface-name>

TCPDump – Find Traffic by host / IP

To see traffic that’s going to or from a particular host, you may use the Host option

tcpdump host 192.168.1.1

Filtering by Source

If you want to see traffic generated by only one source address, you will need to use the src option

tcpdump src 192.168.1.1

Filtering by Destination

Similar to the previous, you need to use dst to check all the traffic going towards a destination IP

tcpdump dst 192.168.1.1

Filtering Packets by Network

To find packets going to or from a particular network or subnet, we use net option.

tcpdump net 192.168.1.0/24

Filter Traffic to a Specific Port

You can find traffic travelling to a specific port, you may use the port option. This is helpful for monitoring traffic to services that use custom ports.

tcpdump port 8089

Filter Traffic to a Port Range

Suppose a service uses a range of ports to forward or receives it’s traffic, you can use the portrange option to monitor the traffic to that port range.

tcpdump portrange 8000-8100

Filter Traffic by Protocol

if you get a requirement of monitoring traffic using only one protocol, you can directly write the name of the protocol.

tcpdump arp

TCPDump – Print Each Packet

To understand the contents of each packet, you can print the contents using the A option.

tcpdump -A

TCPDump – Writing Captures to a pcap file

It is always useful to write the output of the capture to a PCAP file for later use. This method is very useful in case you don’t have a GUI on your Linux box and you want to visualize the traffic. You can create a pcap file and later read it using any of the packet analyzers such as Wireshark.

tcpdump port 514 -w capture_file

These were some basic examples that can be helpful for a primary analysis of network traffic. There are many advanced options and tweaks available with TCPDump. The TCPDump Man page is the best way to refer to the advanced options.

TCPDump is very lightweight yet a very powerful tool, working only with the basic options isn’t making justice to it, soon I will writing a post on how you can use TCPDump with advanced options, the Real Hacker way.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.