Tcpdump is a command line interface where we can capture or analyse the packets or sniff them over the network. It’s widely used and most important commands in Linux environment.
Tcpdump works on network layer and it’s installed in Linux machine if not you can install it either by downloaded from official site or via yum install tcpdump.
Check installed or not
rpm –qa | grep tcpdump
- With –i options
This is used to specify the interfaces with the help of you can capture the packets from particular interface.
tcpdump –i ens33
- With –D options
This is used to see all the available interface in Linux machine.
- With –n options
If you use –n options with tcpdump command it will show you sender and receiver packets with IP address otherwise with Name format.
- With –c options
This is used to see number of packets needs to be captured
- With –s options
A tcpdump captured 96bytes by default if what you want to capture more than this or full tcp packets so you will have to specify the size.
You can use –s0 to capture all packets.
- With –e options
Print the link-level header on each dump line. This can be used, to print MAC layer addresses for protocols.
- With –w options
This is used to capture the output and save in file
- With –r options
If you want read the file which you have saved you will have to use –r to options to read packets
- For particular port
If you want to capture the packet with particular port number it’s possible
tcpdump –c 5 –i ens33 port 80
In case you do not need to capture packet from a particular port you can excluded them
The commands is tcpdump –c 5 –i ens33 ‘ port !80’
- Capture packet towards a particular hosts
tcpdump –i ens33 –c 5 src host 10.10.1.1
tcpdump –i ens33 –c 5 dst host 10.10.1.1
- Filter with protocol
tcpdump –i ens33 icmp