Tcpdump: The Basics -

Learn how to use Tcpdump to save, filter, and display packets.

The Tcpdump tool and its libpcap library are written in C and C++ and were released for
Unix-like systems in the late 1980s or early 1990s. Consequently, they are very stable
and offer optimal speed. The libpcap library is the foundation for various other
networking tools today. Moreover, it was ported to MS Windows as winpcap.

Basic Packet Capture

You can run tcpdump without providing any arguments; however, this is only useful to
test that you have it installed! In any real scenario, we must be specific about what to
listen to, where to write, and how to display the packets.

Specify The Network Interface

he first thing to decide is which network interface to listen to using -i INTERFACE. You
can choose to listen on all available interfaces using -i any; alternatively, you can specify
an interface you want to listen on, such as -i eth0.

A command such as ip address show (or merely ip a s) would list the available network
interfaces.

Save The Captured Packets

In many cases, you should check the captured packets again later. This can be achieved
by saving to a file using -w FILE. The file extension is most commonly set to .pcap. The
saved packets can be inspected later using another program, such as Wireshark. You
won’t see the packets scrolling when you choose the -w option.

Read Capture Packets From A File

You can use Tcpdump to read packets from a file by using -r FILE. This is very useful for
learning about protocol behaviour. You can capture network traffic over a suitable time
frame to inspect a specific protocol, then read the captured file while applying filters to
display the packets you are interested in. Furthermore, it might be a packet capture file
that contains a network attack that took place, and you inspect it to analyze the attack.

Limit the Number of Captured Packets

You can specify the number of packets to capture by specifying the count using -c
COUNT. Without specifying a count, the packet capture will continue till you interrupt it,
for example, by pressing CTRL-C. Depending on your goal, you only need a limited
number of packets.

Don’t Resolve IP Addresses and Port Numbers

Tcpdump will resolve IP addresses and print friendly domain names where possible. To
avoid making such DNS lookups, you can use the -n argument. Similarly, if you don’t
want port numbers to be resolved, such as 80 being resolved to http, you can use the -
nn to stop both DNS and port number lookups. Consider the following example shown in
the terminal below. We captured and displayed five packets without resolving the IP
addresses.

Produce (More) Verbose Output

If you want to print more details about the packets, you can use -v to produce a slightly
more verbose output. According to the Tcpdump manual page (man tcpdump), the
addition of -v will print “the time to live, identification, total length and options in an IP
packet” among other checks. The -vv will produce more verbose output; the -vvv will
provide even more verbosity; check the manual page for details.

Summary & Examples

Command Explanation
tcpdump -i INTERFACE Captures packets on a specific network interface
tcpdump -w FILE Writes captured packets to a file
tcpdump -r FILE Reads captured packets from a file
tcpdump -c COUNT Captures a specific number of packets
tcpdump -n Don’t resolve IP addresses
tcpdump -nn Don’t resolve IP addresses and don’t resolve protocol numbers
tcpdump -v Verbose display; verbosity can be increased with -vv and -vvv

Consider the following examples:

 tcpdump -i eth0 -c 50 -v captures and displays 50 packets by listening on the eth0

interface, which is a wired Ethernet, and displays them verbosely.
 tcpdump -i wlo1 -w data.pcap captures packets by listening on the wlo1 interface
(the WiFi interface) and writes the packets to data.pcap. It will continue till the user
interrupts the capture by pressing CTRL-C.
 tcpdump -i any -nn captures packets on all interfaces and displays them on screen
without domain name or protocol resolution.

Filtering Options
Filtering By Host
Let’s say you are only interested in IP packets exchanged with your network printer or a
specific game server. You can easily limit the captured packets to this host using host IP
or host HOSTNAME. It is important to note that capturing packets requires you to be
logged-in as root or to use sudo.

If you want to limit the packets to those from a particular source IP address or hostname,
you must use src host IP or src host HOSTNAME. Similarly, you can limit packets to those
sent to a specific destination using dst host IP or dst host HOSTNAME.

Filtering By Port
If you want to capture all DNS traffic, you can limit the captured packets to those on port
53. Remember that DNS uses UDP and TCP ports 53 by default. In the following example,
we can see all the DNS queries read by our network card. The terminal below shows two
DNS queries: the first query requests the IPv4 address used by example.org, while the
second requests the IPv6 address associated with example.org.
user@TryHackMe$ sudo tcpdump -i ens5 port 53 -n
[sudo] password for strategos:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:26:33.591670 IP 192.168.139.132.47902 > 192.168.139.2.53: 47108+ A?
example.org. (29)
17:26:33.591717 IP 192.168.139.132.47902 > 192.168.139.2.53: 5+ AAAA?
Example.org. (29)
17:26:33.593324 IP 192.168.139.2.53 > 192.168.139.132.47902: 47108 1/0/0 A
93.184.215.14 (45)
17:26:33.593325 IP 192.168.139.2.53 > 192.168.139.132.47902: 5 1/0/0 AAAA
2606:2800:21f:cb07:6820:80da:af6b:8b2c (57)
[...] ^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

In the above example, we captured all the packets sent to or from a specific port
number. You can limit the packets to those from a particular source port number or to a
particular destination port number using src port PORT_NUMBER and dst port
PORT_NUMBER, respectively.

Filtering By Protocol
The final type of filtering we will cover is filtering by protocol. You can limit your packet
capture to a specific protocol; examples include: ip, ip6, udp, tcp, and icmp. In the
example below, we limit our packet capture to ICMP packets. We can see an ICMP echo
request and reply, which is a possible indication that someone is running the ping
command. There is also an ICMP time exceeded; this might be due to running the
traceroute command
user@TryHackMe$ sudo tcpdump -i ens5 icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:11:00.624681 IP 192.168.139.132 > 93.184.215.14: ICMP echo request, id 47038,
seq 1, length 64
18:11:00.781482 IP 93.184.215.14 > 192.168.139.132: ICMP echo reply, id 47038,
seq 1, length 64
18:11:04.168792 IP 192.168.139.2 > 192.168.139.132: ICMP time exceeded in-
transit, length 68
18:11:04.168815 IP 192.168.139.2 > 192.168.139.132: ICMP time exceeded in-
transit, length 68
[...]
18:11:14.857188 IP 93.184.215.14 > 192.168.139.132: ICMP 93.184.215.14 udp port
33495 unreachable, length 68
^C
52 packets captured
52 packets received by filter
0 packets dropped by kernel

Logical Operators
Three logical operators that can be handy:

 and: Captures packets where both conditions are true. For example, tcpdump host
1.1.1.1 and tcp captures tcp traffic with host 1.1.1.1.
 or: Captures packets when either one of the conditions is true. For instance,
tcpdump udp or icmp captures UDP or ICMP traffic.
 not: Captures packets when the condition is not true. For example, tcpdump not
tcp captures all packets except TCP segments; we expect to find UDP, ICMP, and
ARP packets among the results.

Summary & Examples

Command Explanation
tcpdump host IP or tcpdump
Filters packets by IP address or hostname
host HOSTNAME
tcpdump src host IP or Filters packets by a specific source host
tcpdump dst host IP Filters packets by a specific destination host
tcpdump port PORT_NUMBER Filters packets by port number
tcpdump src port
Filters packets by the specified source port number
PORT_NUMBER
tcpdump dst port
Filters packets by the specified destination port number
PORT_NUMBER
tcpdump PROTOCOL Filters packets by protocol; examples include ip, ip6, and icmp

Consider the following examples:

  tcpdump -i any tcp port 22 listens on all interfaces and captures tcp packets to or
from port 22, i.e., SSH traffic.
 tcpdump -i wlo1 udp port 123 listens on the WiFi network card and filters udp
traffic to port 123, the Network Time Protocol (NTP).
 tcpdump -i eth0 host example.com and tcp port 443 -w https.pcap will listen on
eth0, the wired Ethernet interface and filter traffic exchanged with example.com
that uses tcp and port 443. In other words, this command is filtering HTTPS traffic
related to example.com.

Advanced Filtering
There are many more ways to filter packets. After all, in any real-life situation, we would
need to filter through thousands or even millions of packets. It is indispensable to be
able to express the exact packets to display. For example, we can limit the displayed
packets to those smaller or larger than a certain length:

 greater LENGTH: Filters packets that have a length greater than or equal to the
specified length
 less LENGTH: Filters packets that have a length less than or equal to the specified
length

You can check the pcap-filter by typing man pcap-filter for more information.

Binary Operations
Before proceeding, it is worth visiting binary operations. A binary operation works on
bits, i.e., zeroes and ones. An operation takes one or two bits and returns one bit. Let’s
explain in more depth and consider the following three binary operations: &, |, and !.

& (And) takes two bits and returns 0 unless both inputs are 1, as shown in the table
below.

Input 1 Input 2 Input1 & Input 2

0 0 0
0 1 0
1 0 0
1 1 1

| (Or) takes two bits and returns 1 unless both inputs are 0. This is shown in the table
below.

Input 1 Input 2 Input 1 | Input 2

0 0 0
 0 1 1
1 0 1
1 1 1

! (Not) takes one bit and inverts it; an input of 1 gives 0, and an input of 0 gives 1, as
shown in the table below.

Input 1 ! Input 1
0 1
1 0

Header Bytes
The purpose of this section is to be able to filter packets based on the contents of a
header byte. Consider the following protocols: ARP, Ethernet, ICMP, IP, TCP, and UDP.
These are just a few networking protocols we have studied. How can we tell Tcpdump to
filter packets based on the contents of protocol header bytes? (We will not go into details
about the headers of each protocol as this is beyond the scope of this room; instead, we
will focus on TCP flags.)

Using pcap-filter, Tcpdump allows you to refer to the contents of any byte in the header
using the following syntax proto[expr:size], where:

 proto refers to the protocol. For example, arp, ether, icmp, ip, ip6, tcp, and udp
refer to ARP, Ethernet, ICMP, IPv4, IPv6, TCP, and UDP respectively.
 expr indicates the byte offset, where 0 refers to the first byte.
 size indicates the number of bytes that interest us, which can be one, two, or four.
It is optional and is one by default.

To better understand this, consider the following two examples from the pcap-filter
manual page:

 ether[0] & 1 != 0 takes the first byte in the Ethernet header and the decimal
number 1 (i.e., 0000 0001 in binary) and applies the & (the And binary operation).
It will return true if the result is not equal to the number 0 (i.e., 0000 0000). The
purpose of this filter is to show packets sent to a multicast address. A multicast
Ethernet address is a particular address that identifies a group of devices intended
to receive the same data.
  ip[0] & 0xf != 5 takes the first byte in the IP header and compares it with the
hexadecimal number F (i.e., 0000 1111 in binary). It will return true if the result is
not equal to the (decimal) number 5 (i.e., 0000 0101 in binary). The purpose of this
filter is to catch all IP packets with options.

You can use tcp[tcpflags] to refer to the TCP flags field. The following TCP flags are
available to compare with:

 tcp-syn TCP SYN (Synchronize)

 tcp-ack TCP ACK (Acknowledge)
 tcp-fin TCP FIN (Finish)
 tcp-rst TCP RST (Reset)
 tcp-push TCP Push

Based on the above, we can write:

 tcpdump "tcp[tcpflags] == tcp-syn" to capture TCP packets with only the SYN
(Synchronize) flag set, while all the other flags are unset.
 tcpdump "tcp[tcpflags] & tcp-syn != 0" to capture TCP packets with at least the
SYN (Synchronize) flag set.
 tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0" to capture TCP packets with at
least the SYN (Synchronize) or ACK (Acknowledge) flags set.

Displaying Packets
Tcpdump is a rich program with many options to customize how the packets are printed
and displayed. We have selected to cover the following five options:

 -q: Quick output; print brief packet information

 -e: Print the link-level header
 -A: Show packet data in ASCII
 -xx: Show packet data in hexadecimal format, referred to as hex
 -X: Show packet headers and data in hex and ASCII

Brief Packet Information

If you prefer shorter output lines, you can opt for “quick” output with -q. The following
example shows the timestamp, along with the source and destination IP addresses and
source and destination port numbers.

user@TryHackMe$ tcpdump -r TwoPackets.pcap -q

reading from file TwoPackets.pcap, link-type EN10MB (Ethernet), snapshot
length 262144
18:59:59.979771 IP 104.18.12.149.https > g5000.45248: tcp 25
18:59:59.980574 IP g5000.45248 > 104.18.12.149.https: tcp 29
 Displaying Link-Level Header
If you are on an Ethernet or WiFi network and want to include the MAC addresses in
Tcpdump output, all you need to do is to add -e. This is convenient when you are
learning how specific protocols, such as ARP and DHCP function. It can also help you
track the source of any unusual packets on your network.

Displaying Packets as ASCII

ASCII stands for American Standard Code for Information Interchange; ASCII codes
represent text. In other words, you can expect -A to display all the bytes mapped to
English letters, numbers, and symbols.

Displaying Packets in Hexadecimal Format

ASCII format works well when the packet contents are plain-text English. It won’t work if
the contents have undergone encryption or even compression. Furthermore, it won’t
work for languages that don’t use the English alphabet. Hence, we need another way to
display the packet contents regardless of format. Being 8 bits, any octet can be
displayed as two hexadecimal digits. (Each hexadecimal digit represents 4 bits.) To
display the packets in hexadecimal format, we must add -xx.

Best of Both Worlds

If you would like to display the captured packets in hexadecimal and ASCII formats,
Tcpdump makes it easy with the -X option.

Summary
The table below provides a summary of the command line options that we covered.

Command Explanation
tcpdump -q Quick and quite: brief packet information
tcpdump -e Include MAC addresses
tcpdump -A Print packets as ASCII encoding
tcpdump -xx Display packets in hexadecimal format
tcpdump -X Show packets in both hexadecimal and ASCII formats