how to read tcpdump output

Services
- Infrastructure
  - iColocation
- Compute
  - cMetal
  - cVirtual
- Storage
  - sObject
  - sBlock
- Networking
- Protection
  - pBackup
  - pDDoS
Solutions
- Ecommerce
- Security
- Gaming
- Hosting
- Management
- Finance
- System Integrator
Dashboard

Psychz - Sachin

Votes: 0Posted On: Jul 31, 2017 04:23:17

Tcpdump is a tool used to analyze packets incident on a server. It runs under the command line and is a very useful network tool. It displays the packets(TCP/IP) transmitted or received by a network. Tcpdump is a free tool licensed under BSD license. You can also write the contents of tcpdump to a file. You will have to install tcpdump before start using it.

Installation

Please run the following commands to install "tcpdump".

Ubuntu/Debian family - apt-get install tcpdump

Centos/RHEL - yum install tcpdump

Tcpdump command with options

If you run the Tcpdump command without any options, the tcpdump will start displaying packets indefinitely until you suspend the operation. Here are some of the commonly used options.

Translating Hostnames and Ports

tcpdump -n

The "-n" option is used to translate the hostname and ports. Without this option, the output displays hostname which is converted to it's corresponding IP address.

A verbose output

tcpdump -v

The "-v" option stands for verbose. when you use the "-v" option, the output is displayed in a verbose manner. You can also use "v" multiple times for an even verbose output. For example - "tcpdump -vvvv".

Specifying the number of packets

tcpdump -c

The "-c" option is used to limit the number of packets to be captured. We can enter the number of packets we want to capture infront of the "-c" option. For example, the following command will capture 20 packets and suspend automatically.

"tcpdump -c 20"

Specifying an interface

tcpdump -i

The "-i" option lets you specify the network interface you want the packets to be captured from. There may be multiple network interfaces in a system. Use the "ifconfig" command to list all the interfaces. For example, the following command will capture the packets of "eth0" interface.

"tcpdump -i eth0"

Writing the output to file

tcpdump -w path_of_the_file

The "-w" option lets you write the output of tcpdump to a file which you can save for further analysis.

Reading the output from a file

tcpdump -r path_of_the_file

The "-r" option lets you read the output of a file. All you have to do is use the "-r" option with tcpdump command and specify the path of the file you want to read.

Capturing by Packet Size

tpcdump -s

The "-s" option enables you to set the size of each packet to be captured. The default packet length is 65535 bytes. For example, the following command will capture the packets upto 100 bytes.

"tcpdump -s 100"

The "tcpdump" contains a variety of commands you can use to analyze the packets thoroughly. Once you have mastered these options, please go to the man page of tcpdump to view more about the command.

man tcpdump