Linux Administrator

How to:- Install tcpdump on CentOS/Redhat 5/6/7/8 Version – yum/rpm

In this tutorial you will learn how to install tcpdump  and some command example. Tcpdump is a type of packet analyzer software utility that monitors and logs TCP/IP traffic passing between a network and the computer on which it is executed.

It’s open-source network utility that is freely available under the BSD license. Tcpdump works on the command line interface and provides descriptions of packet content in several formats, depending on the command used.

This is primarily a network monitoring and management utility that captures and records TCP/IP data on the run time. Tcpdump is designed to provide statistics about the number of packets received and captured at the operating node for network performance analysis, debugging and diagnosing network bottlenecks and other network oriented tasks.

You may also like:

Install tcpdump on CentOS/RHEL System

Follow the below steps to install tcpdump on CentOS/RHEL system.

1. Run the below command to verify whether tcpdump is installed or not.

# tcpdump -D
-bash: tcpdump: command not found

2. If not install run the below command to install it.

# yum install tcpdump -y

3. Show available interface that can be monitor.

# tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo

4. Check the installed version of tcpdump on CentOS 6.x.

# tcpdump --version
tcpdump version 4.1-PRE-CVS_2015_07_23
libpcap version 1.4.0
Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ]
                [ -P in|out|inout ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

5. Check the installed version of tcpdump on CentOS 7.x.

# tcpdump --version
tcpdump: invalid option -- '-'
tcpdump version 4.5.1
libpcap version 1.5.3
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ]
                [ -P in|out|inout ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]

Basic Tcpdump Command Examples

Show the HTTPs Traffic

# tcpdump -nnSX port 443

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
22:24:44.638181 IP 192.168.63.207.51909 > 216.58.196.106.443: UDP, length 33
	0x0000:  0eb2 d85d dc39 88e9 fe80 f2ee 0800 4500  ...].9........E.
	0x0010:  003d d52e 0000 4011 0865 c0a8 3fcf d83a  [email protected]?..:
	0x0020:  c46a cac5 01bb 0029 5473 481c 942c ee01  .j.....)TsH..,..
	0x0030:  466b 662d 5d8d 0b6d e459 87e2 c993 b2d5  Fkf-]..m.Y......
	0x0040:  179f d0e2 91b4 1cca 3606 ac              ........6..
22:24:44.735185 IP 216.58.196.106.443 > 192.168.63.207.51909: UDP, length 28
	0x0000:  88e9 fe80 f2ee 0eb2 d85d dc39 0800 4580  .........].9..E.
	0x0010:  0038 0000 4000 3511 a818 d83a c46a c0a8  [email protected]:.j..
	0x0020:  3fcf 01bb cac5 0024 bce1 4e83 76fc 3129  ?......$..N.v.1)
	0x0030:  3c69 8655 3736 57c9 0374 ba71 7f24 780e  <i.U76W..t.q.$x.
	0x0040:  b22f 3686 f2f0  

Above command will show the HTTPs traffic, In the right side of the output ( it is encrypted ). Like this you can change the port as per your choice.

Monitor All Traffic on Ethernet/Interface

First find the interface which you want to monitor in my example I am running tcpdump command in en0. In your case it should be eth0.

# netstat -I

Name  Mtu   Network       Address            Ipkts Ierrs    Opkts Oerrs  Coll
lo0   16384 <Link#1>                          5596     0     5596     0     0
lo0   16384 127           localhost           5596     -     5596     -     -
lo0   16384 localhost   ::1                   5596     -     5596     -     -
lo0   16384 fe80::1%lo0 fe80:1::1             5596     -     5596     -     -
gif0* 1280  <Link#2>                             0     0        0     0     0
stf0* 1280  <Link#3>                             0     0        0     0     0
XHC0* 0     <Link#4>                             0     0        0     0     0
XHC20 0     <Link#5>                             0     0        0     0     0
en0   1500  <Link#6>    88:e9:fe:80:f2:ee  3842012     0  2944930     0     0
en0   1500  bhi-l0230s- fe80:6::140b:4c29  3842012     -  2944930     -     -
en0   1500  192.168.63    192.168.63.207   3842012     -  2944930     -     -
p2p0  2304  <Link#7>    0a:e9:fe:80:f2:ee        0     0        0     0     0
awdl0 1484  <Link#8>    02:84:28:91:17:72        0     0      214     0     0
awdl0 1484  fe80::84:28 fe80:8::84:28ff:f        0     -      214     -     -
en1   1500  <Link#9>    9e:00:01:61:d8:01        0     0        0     0     0
en2   1500  <Link#10>   9e:00:01:61:d8:00        0     0        0     0     0
bridg 1500  <Link#11>   9e:00:01:61:d8:01        0     0        0     0     0
utun0 2000  <Link#12>                            0     0       17     0     0
utun0 2000  bhi-l0230s- fe80:c::bec2:7439        0     -       17     -     -

Now run the below command.

# tcpdump -I en0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:33:43.964384 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33
22:33:43.966916 IP 192.168.63.207.50525 > dns.google.domain: 49613+ PTR? 14.194.250.142.in-addr.arpa. (45)
22:33:44.061246 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 304
22:33:44.073895 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 26
22:33:44.128842 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 32
22:33:44.137628 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33
22:33:44.330450 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33
22:33:44.334775 IP del11s05-in-f10.1e100.net.https > 192.168.63.207.51909: UDP, length 161
22:33:44.335162 IP dns.google.domain > 192.168.63.207.50525: 49613 1/0/0 PTR del12s01-in-f14.1e100.net. (84)
22:33:44.336305 IP 192.168.63.207.49721 > dns.google.domain: 11898+ PTR? 8.8.8.8.in-addr.arpa. (38)
22:33:44.341516 IP 192.168.63.207.51909 > del11s05-in-f10.1e100.net.https: UDP, length 33
22:33:44.374333 IP dns.google.domain > 192.168.63.207.49721: 11898 1/0/0 PTR dns.google. (62)
22:33:44.377167 IP 192.168.63.207.52051 > dns.google.domain: 16557+ PTR? 106.196.58.216.in-addr.arpa. (45)
22:33:44.386004 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 26
22:33:44.386007 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 464
22:33:44.386298 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 39
22:33:44.392256 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 36
22:33:44.396716 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 137
22:33:44.399764 IP 192.168.63.207.52021 > del12s01-in-f14.1e100.net.https: UDP, length 33
22:33:44.424452 IP del12s01-in-f14.1e100.net.https > 192.168.63.207.52021: UDP, length 26

Monitor Traffic by IP Address

You can also monitor traffic by IP address this is the most common command which is used.

# tcpdump host 13.234.208.117

tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
22:45:57.367013 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [S], seq 3539239920, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 310135746 ecr 0,sackOK,eol], length 0
22:45:57.443581 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [S.], seq 2896228504, ack 3539239921, win 26847, options [mss 1370,sackOK,TS val 466856669 ecr 310135746,nop,wscale 7], length 0
22:45:57.443629 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [.], ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 0
22:45:57.444190 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [.], seq 1:1359, ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 1358: HTTP: POST /wp-admin/admin-ajax.php HTTP/1.1
22:45:57.444198 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [P.], seq 1359:1367, ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 8: HTTP
22:45:57.444566 IP 192.168.63.207.64592 > ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http: Flags [P.], seq 1367:1599, ack 1, win 2058, options [nop,nop,TS val 310135822 ecr 466856669], length 232: HTTP
22:45:57.526735 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [.], ack 1367, win 232, options [nop,nop,TS val 466856691 ecr 310135822], length 0
22:45:57.526737 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [.], ack 1599, win 253, options [nop,nop,TS val 466856691 ecr 310135822], length 0
22:45:57.759167 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64592: Flags [P.], seq 1:699, ack 1599, win 253, options [nop,nop,TS val 466856748 ecr 310135822], length 698: HTTP: HTTP/1.1 200 OK

Filter Traffic by Source & Destination

Run the below command to capture the Source traffic.

# tcpdump src 13.234.208.117

tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
22:49:12.316783 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64732: Flags [F.], seq 2354751256, ack 1264243161, win 231, options [nop,nop,TS val 466905387 ecr 310324778], length 0
22:49:12.394468 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64732: Flags [.], ack 2, win 231, options [nop,nop,TS val 466905406 ecr 310329720], length 0
22:49:12.394471 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64732: Flags [.], ack 2, win 231, options [nop,nop,TS val 466905406 ecr 310329720], length 0
22:49:20.285971 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [S.], seq 1494685197, ack 2749736154, win 26847, options [mss 1370,sackOK,TS val 466907380 ecr 310337605,nop,wscale 7], length 0
22:49:20.362461 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 1369, win 232, options [nop,nop,TS val 466907399 ecr 310337663], length 0
22:49:20.362466 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 4085, win 274, options [nop,nop,TS val 466907399 ecr 310337663], length 0
22:49:20.443259 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 5443, win 295, options [nop,nop,TS val 466907419 ecr 310337738], length 0
22:49:20.443262 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 6801, win 316, options [nop,nop,TS val 466907419 ecr 310337738], length 0
22:49:20.443263 IP ec2-13-234-208-117.ap-south-1.compute.amazonaws.com.http > 192.168.63.207.64738: Flags [.], ack 8159, win 338, options [nop,nop,TS val 466907419 ecr 310337738], length 0
22:49:20.447846 IP ec2-13-234-208-117.ap-south-1.

Run the below command to capture the Destination traffic.

# tcpdump src 192.168.63.207

Capture the Packets by Network

To capture the packets by network and subnet use the net command.

# tcpdump net 192.168.0.0/24

Find the Packet Related with Specific Port

You can also capture the packets using specific port following port number.

tcpdump port 3306
tcpdump src port 2022

Capture Packet Using Protocol

TCP, UDP, ICMP etc.. can also we captured using below command.

# tcpdump icmp

Get only IPv6 Traffic

Now can also show the traffic for particular protocol option.

# tcpdump ip6

Find Traffic Using Port Range

Use port range to find the traffic.

# tcpdump portrange 21-23

PCAP File Creation using tcpdump

It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.

If you want to save the packet in a file to analysis in future. You can use the below command to make a PCAP file it is also called PEE-cap files. Follow the below command to writing all output in a file.

# tcpdump -r captured_file.pcap

FAQS

What is the tcpdump?

tcpdump is command line tool for packet analyzar. Basically using tcpdump command we can analyse network traffic by intercepting and displaying packets that are being created.

How to stop tcpdump command?

In linux based operating system you can stop tcpdump command pressing Ctrl + C key combination.

Where tcpdump command output saved?

If you want to save tcpdump file output you can use “-w” to save the captured TCP/IP packets to a  file.

Which tool is better tcpdump or Wireshark?

For packet capturing both tools are best if the network is having less traffic, that is less than 1000 packet within 60 seconds. If the packets are increase Wireshark capture more with 0.5-1% gain. On behalf of this we can say that Wireshark beats tcpdump in speed of packet capturing.

How can I use tcpdump in Windows 10?

If you want  to use tcpdump in windows system, run tcpdump -D command. This command will list all interface of the system. Now you can run the tcpdump command with ” -i ” as argument, Example : tcpdump -i eth0.

Thank you! for visiting LookLinux.

If you find this tutorial helpful please share with your friends to keep it alive. For more helpful topic browse my website www.looklinux.com. To become an author at LookLinux Submit Article. Stay connected to Facebook.

About the author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

Leave a Comment