Tcpdump
TCPDump is a powerful command-line packet analyser tool that can be used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface.
Installing TCPDump
Most Linux distributions include tcpdump by default. If it's not installed, you can install it using a package manager. For example, on Ubuntu or Debian, you would use:
Finding Network Interfaces
You can list all network interfaces using the following command:
This command will list all network interfaces. The active network interfaces are generally eth0 for ethernet, wlan0 for WiFi, and lo for localhost.
Capturing Traffic
Once you've identified the correct network interface, you can use tcpdump to capture traffic. The following command captures all traffic on wlan0 and writes it to capture.pcap:
Replace wlan0 with your network interface.
Reading PCAP files
You can read the captured packets with tcpdump using the -r option:
Example TCPDump Commands
Here are some examples of tcpdump commands to narrow down your analysis to potentially interesting or sensitive information:
Monitor HTTP GET requests:
Capture DNS traffic:
Capture traffic to/from a specific IP address:
Capture traffic on a specific port:
Capture and save traffic to a file:
Capture TCP SYN packets:
Capture ICMP (ping) packets:
Capture all HTTP POSTs:
Capture all packets of length 500:
Capture all packets of a certain length range:
Capture packets from a specific source port:
Capture packets from a specific destination port:
Capture all TCP and UDP packets to or from a particular port:
Capture all TCP packets with the PUSH and ACK flags set:
Capture all UDP packets with a source or destination port of 53 (DNS):
This guide provides a basic introduction to using tcpdump to capture and analyse network traffic. Remember to perform these actions responsibly and only on networks and devices where you have permission.
Last updated