How to use tcpdump Command With Examples on Linux CentOS 5/CentOS 6/RHEL 5/RHEL 6

Tcpdump is a tool to dump the traffic on a network. It’s a packet sniffer that able to capture traffic that passes through a machine. It operates on a packet level, meaning that it captures the actual packets that fly in and out of your computer. If your linux server haven’t installed with tcpdump package, you can refer to the previous post on the quick step to install tcpdump. This tcpdump command with examples steps has been tested on Linux CentOS 5/CentOS 6/CentOS 7/RHEL 5/RHEL 6 / RHEL 7.

tcpdump Command With Examples

How to use Tcpdump Command with Examples on Linux

There are a few tcpdump command with examples that i will share with you. -w option will writes the packets into .pcap file. The extension should be always .pcap as it can be read by any network protocol analyzer.

1. To see any available network interface that can be monitor using option -D :

# tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo

2. View the incoming packets on port 80 in real-time for apache web server, then save it to port80-apache1.pcap. By using this command, you can analyze where packets were coming from or being sent to :

# tcpdump -w port80-apache1.pcap -i eth0 tcp port 80

3. Execute tcpdump command without any additional option, it will capture all the packets flowing through all the interfaces. Just run -i option with tcpdump command as below :

# tcpdump -w filename.pcap -i eth0

4. Capture only N number of packets. This can be done using tcpdump -c command. This example will only capture 3 packet :

# tcpdump -c 3 -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:22:18.777243 IP centos62.ehowstuff.local.ssh > 192.168.1.52.pq-lic-mgmt: Flags [.], ack 4148066988, win 17688, options [nop,nop,TS val 790832 ecr 135264], length 0
21:22:18.783396 IP centos62.ehowstuff.local.ssh > 192.168.1.52.pq-lic-mgmt: Flags [P.], seq 0:196, ack 1, win 17688, options [nop,nop,TS val 790838 ecr 135264], length 196
21:22:18.785458 ARP, Request who-has 192.168.1.1 tell centos62.ehowstuff.local, length 28
3 packets captured
15 packets received by filter
0 packets dropped by kernel

5. Read the packets using tcpdump -r for the saved file as per example below :

See also  How to Install PHP on RHEL 6

Capture 3 packet and save it to test.pcap

# tcpdump -w test.pcap -c 3 -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
3 packets captured
3 packets received by filter
0 packets dropped by kernel

Try to read test.pcap using tcpdump -r command :

# tcpdump -r test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
21:24:51.199237 IP centos62.ehowstuff.local.ssh > 192.168.1.52.pq-lic-mgmt: Flags [P.], seq 693745553:693745685, ack 4148082568, win 17688, options [nop,nop,TS val 943254 ecr 136793], length 132
21:24:51.201339 IP 192.168.1.52.pq-lic-mgmt > centos62.ehowstuff.local.ssh: Flags [P.], seq 1:53, ack 132, win 17232, options [nop,nop,TS val 136793 ecr 943254], length 52
21:24:51.241386 IP centos62.ehowstuff.local.ssh > 192.168.1.52.pq-lic-mgmt: Flags [.], ack 53, win 17688, options [nop,nop,TS val 943296 ecr 136793], length 0

6. tcpdump allows you to define port range as bellow for capturing packets based on a range of tcp port. Examples below will capture the packet from port 21 until 80.

# tcpdump tcp portrange 21-80

I hope this article gives you some ideas and essential guidance on how to use tcpdump Command with Examples on Linux CentOS 5/CentOS 6/CentOS 7/RHEL 5/RHEL 6 / RHEL 7

See also  How to Change the Hostname on CentOS 5.5 Server

 

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7 / CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7 / CentOS 7

This short howto will explain the steps to reset a lost root password or to reset a forgotten root password on Linux RHEL 7 or CentOS 7. Basically, we will...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

Leave a Reply

Your email address will not be published. Required fields are marked *