TCPDump
Network Sniffer and Packet Analyzer
Introduction
tcpdump is a command-line tool for capturing and analyzing network traffic. It is widely used by system administrators and cybersecurity professionals to diagnose network issues, monitor packets, and investigate security incidents.
Features
- Packet Capture: Capture live traffic from network interfaces.
- Filtering: Use BPF (Berkeley Packet Filter) syntax to filter packets by protocol, host, port, or content.
- Protocol Support: Decode protocols like TCP, UDP, ICMP, HTTP, DNS, and TLS.
- File Output: Save captures to
.pcapfiles for later analysis (compatible with Wireshark). - Lightweight: Minimal resource usage compared to GUI-based tools.
Installation
- Open a terminal.
- Install tcpdump using:
sudo pacman -S tcpdump
Install Verification
Check the version to confirm installation:
tcpdump --version
Uninstall
sudo pacman -R tcpdump
Usage
Basic Commands
Capture Traffic on a Specific Interface
sudo tcpdump -i eth0
Save Capture to a File
sudo tcpdump -i eth0 -w capture.pcap
Read Packets from a File
tcpdump -r capture.pcap
Filtering Examples
Filter by Protocol (e.g., ICMP)
sudo tcpdump -i eth0 icmp
Filter Traffic for a Specific Host
sudo tcpdump -i eth0 host 192.168.1.1
Filter Traffic on a Specific Port (e.g., HTTP)
sudo tcpdump -i eth0 port 80
Advanced Filters
Capture TCP Traffic Between Two Hosts
sudo tcpdump -i eth0 tcp and host 192.168.1.10 and host 192.168.1.20
Display Packet Contents in ASCII/Hex
sudo tcpdump -i eth0 -A
Example Workflow
Capture DNS Queries
sudo tcpdump -i eth0 port 53
Capture HTTP GET Requests
sudo tcpdump -i eth0 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
Official Documentation & More Info
Contributing
tcpdump is maintained by the TCPDUMP Group. Contributions are welcome via patches or bug reports.
Support
- Ask questions on the tcpdump mailing list.
- Check the FAQ for troubleshooting.
License
tcpdump is released under the BSD 3-Clause License.