tcpdump cheat sheet
To see all network traffic happening on a Linux system or the network, the tcpdump tool is a seasoned tool for the task. For network engineers it might be easy to use, but for the average person the amount of options might be overwhelming. This cheat sheet dives into what tcpdump can do, with examples that are often used to troubleshoot issues and monitor the network.
Basic options
Some of the common options to use on tcpdump include:
Short option | Long option | What the option does |
---|---|---|
-i IFACE | --interface=IFACE | Select IFACE as the interface on which to capture |
-D | --list-interfaces | Show available interfaces that can be used |
-n | Do not resolve hostnames, protocols, etc. | |
-q | Quick/quiet output | |
-r FILE.pcap | Read an earlier packet capture session | |
-v | Verbose output | |
-vv | More verbose | |
-vvv | Most verbose | |
-w FILE.pcap | Store the captured packets in a file |
Creating a shell script? Then we suggest using the long format option, as this improves the readability. For quick use of on the command-line consider using the short notation of the related option.
Filter expressions
By only providing options, tcpdump will display all relevant captured packets. This is typically not what we want, especially when we want to zoom in on a specific host or protocol. For this purpose tcpdump uses filter expressions.
Filter | Intended goal | Example |
---|---|---|
host | Filter by source or destination host | tcpdump host 10.0.1.1 |
port | Filter by port number or service name | tcpdump port 80 |
src host | Filter by source host | tcpdump src host 10.2.3.1 |
Operators
In the filter expressions it is common to combine multiple filters. For example, one of the communicating hosts in combination with a port. Some of the operators include:
- not (!)
- and (&&)
- or (||)
- less (<)
- greater (>)
If two filters need to match, we can use with an AND operator:
tcpdump host 10.2.3.1 and port 80
When we throw in a ’not’, we can see all traffic for one host, except SSH traffic using a combination:
tcpdump host 10.4.2.3 and not port 22
Protocols
Some protocols can be defined as-is, limiting output to only those protocols.
- icmp
- tcp
- udp
Interfaces and traffic isolation
Typically a system has more than one interface available. To prevent being overloaded with too much traffic, it is wise to isolate the traffic. This can be done with the --interface= by defining the specific interface on which network packets is captured.
Show available interfaces
Modern Linux distributions have typically more interfaces than you would initially think. Use the option --list-interfaces to display all available interfaces, including those for netfilter, Bluetooth, D-Bus.
# tcpdump --list-interfaces
1.ens3 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.dbus-system (D-Bus system bus) [none]
8.dbus-session (D-Bus session bus) [none]
Capture on all interfaces
To capture traffic on all interface, use ‘any’ as value.
tcpdump -n -i any
Reducing output
For troubleshooting and a first analysis, it may be useful to limit the amount of output. With option -c a count can be set and reduced the number of captured packets.
tcpdump -n -c 10
Increasing output details
tcpdump -nvv port 80
Filter packets
By host
When zooming in on a particular system, we can use host and specify the related host.
tcpdump -n host 192.168.178.16
Only looking for packets coming from a specific host? Add the src statement as well.
tcpdump -n src host 192.168.1.19
By port
Define the port by its protocol name or number. For HTTP connections we could use:
tcpdump -n port http
Or its alternative, by port number:
tcpdump -n port 80
By protocol
Looking for all TCP connections to or from a system? Set the filter to tcp and all other protocols will be ignored.
tcpdump -n tcp
TCP flags
New connections using TCP have multiple flags available, each depending on the state of the connection. Newly created connections have the SYN flag active, so are a great way to filter out all new connections.
tcpdump -i ens18 -n 'tcp[tcpflags] == tcp-syn'
We can also filter specifically the SYN/ACK state, which happens at the beginning.
tcpdump -i ens18 'tcp[13] = 18'
The value 13 comes from the TCP header. In byte 13 the TCP flags are stored.
Useful values to know
- URG = 32
- ACK = 16
- PSH = 8
- RST = 4
- SYN = 2
- FIN = 1
So seeing all TCP connections that come to an end (finish):
# tcpdump 'tcp[13] & 1 != 0'
09:30:53.270658 IP 192.168.1.11.33392 > 192.168.1.12.22: Flags [F.], seq 2535494855, ack 1906495977, win 501, options [nop,nop,TS val 3548246170 ecr 1901198083], length 0
ARP
tcpdump -n ether proto 0x0806
or easier:
tcpdump -n arp
IPv6
tcpdump ip6
Packet size
We can also filter on size, which is in the case of tcpdump the total length. This includes link layer, IP, and for example TCP headers.
tcpdump -n len greater 1000
Depending on the protocol, you have to carefully look (and monitor) what intended length you are searching for. See UDP example below.
UDP
UDP does not have a length specified, so if you are looking to filter for those specifically, a little bit of size counting is needed.
- IP header is at a minimum 20 bytes and 60 bytes maximum
- UDP header is 8 bytes
- UDP payload
So to filter for very small UDP packets of 4 bytes or less (20+8+4=32), we can use:
tcpdump -n 'ip[2:2] <= 32 and udp'
Combining filters
See all traffic of a particular host, but ignore the SSH connection.
tcpdump -n host 192.168.178.16 and port not 22
Using files
Using filters from a file
When doing repeating captures, the option -F helps to get a filter expression from an external file. This is very useful for constructing more specific filters that are harder to remember.
tcpdump -n -c 10 -F tcpdump-filter-arp-only
Store output in a file
Tcpdump allows to store a capture in a PCAP file. This file format can be used with other programs, like Wireshark .
tcpdump -n -c 10 -w for-later-analysis.pcap
To read the packet capture, tcpdump can also be used again.
tcpdump -r for-later-analysis.pcap