{"id":2619,"date":"2012-05-12T08:37:17","date_gmt":"2012-05-12T00:37:17","guid":{"rendered":"https:\/\/webhostinggeeks.com\/howto\/?p=2619"},"modified":"2023-04-28T09:49:18","modified_gmt":"2023-04-28T09:49:18","slug":"how-to-use-tcpdump-command-with-examples-on-linux-centos-5centos-6rhel-5rhel-6","status":"publish","type":"post","link":"https:\/\/webhostinggeeks.com\/howto\/how-to-use-tcpdump-command-with-examples-on-linux-centos-5centos-6rhel-5rhel-6\/","title":{"rendered":"How to use tcpdump Command With Examples on Linux CentOS 5\/CentOS 6\/RHEL 5\/RHEL 6"},"content":{"rendered":"<p><a href=\"https:\/\/www.tcpdump.org\/\" target=\"_blank\" rel=\"noopener\">Tcpdump<\/a> is a tool to dump the traffic on a network. It&#8217;s a packet sniffer that able to capture traffic that passes through a machine. It operates on a packet level, meaning that it captures the actual packets that fly in and out of your computer. If your linux server haven&#8217;t installed with tcpdump package, you can refer to the <a href=\"https:\/\/webhostinggeeks.com\/howto\/how-to-install-tcpdump-on-centos-5centos-6rhel-5rhel-6\/\" rel=\"nofollow\">previous post<\/a> on the quick step to install tcpdump. This tcpdump\u00a0command with examples steps has been tested on Linux CentOS 5\/CentOS 6\/CentOS 7\/RHEL 5\/RHEL 6 \/ RHEL 7.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-6441 size-full lazyload\" data-src=\"https:\/\/webhostinggeeks.com\/howto\/wp-content\/uploads\/2012\/05\/tcpdump.png\" alt=\"tcpdump Command With Examples\" width=\"897\" height=\"473\" data-srcset=\"https:\/\/webhostinggeeks.com\/howto\/wp-content\/uploads\/2012\/05\/tcpdump.png 897w, https:\/\/webhostinggeeks.com\/howto\/wp-content\/uploads\/2012\/05\/tcpdump-300x158.png 300w, https:\/\/webhostinggeeks.com\/howto\/wp-content\/uploads\/2012\/05\/tcpdump-768x405.png 768w\" data-sizes=\"(max-width: 897px) 100vw, 897px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 897px; --smush-placeholder-aspect-ratio: 897\/473;\" \/><\/p>\n<h3>How to use Tcpdump Command with Examples on Linux<\/h3>\n<p>There are a few tcpdump command with examples that i will share with you. <strong>-w<\/strong> option will writes the packets into .pcap file. The extension should be always .pcap as it can be read by any network protocol analyzer.<\/p>\n<p>1. To see any available network interface that can be monitor using option -D :<\/p>\n<pre># tcpdump -D\n1.eth0\n2.usbmon1 (USB bus number 1)\n3.usbmon2 (USB bus number 2)\n4.any (Pseudo-device that captures on all interfaces)\n5.lo\n<\/pre>\n<p>2. View the incoming packets on port 80 in real-time for apache web server, then save it to port80-apache1.pcap. By using this command, you can analyze where packets were coming from or being sent to :<\/p>\n<pre># tcpdump -w port80-apache1.pcap -i eth0 tcp port 80\n<\/pre>\n<p>3. Execute tcpdump command without any additional option, it will capture all the packets flowing through all the interfaces. Just run -i option with tcpdump command as below :<\/p>\n<pre># tcpdump -w filename.pcap -i eth0\n<\/pre>\n<p>4. Capture only N number of packets. This can be done using tcpdump -c command. This example will only capture 3 packet :<\/p>\n<pre># tcpdump -c 3 -i eth0\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes\n21:22:18.777243 IP centos62.ehowstuff.local.ssh &gt; 192.168.1.52.pq-lic-mgmt: Flags [.], ack 4148066988, win 17688, options [nop,nop,TS val 790832 ecr 135264], length 0\n21:22:18.783396 IP centos62.ehowstuff.local.ssh &gt; 192.168.1.52.pq-lic-mgmt: Flags [P.], seq 0:196, ack 1, win 17688, options [nop,nop,TS val 790838 ecr 135264], length 196\n21:22:18.785458 ARP, Request who-has 192.168.1.1 tell centos62.ehowstuff.local, length 28\n3 packets captured\n15 packets received by filter\n0 packets dropped by kernel\n<\/pre>\n<p>5. Read the packets using tcpdump -r for the saved file as per example below :<\/p>\n<p>Capture 3 packet and save it to test.pcap<\/p>\n<pre># tcpdump -w test.pcap -c 3 -i eth0\ntcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes\n3 packets captured\n3 packets received by filter\n0 packets dropped by kernel\n<\/pre>\n<p>Try to read test.pcap using tcpdump -r command :<\/p>\n<pre># tcpdump -r test.pcap\nreading from file test.pcap, link-type EN10MB (Ethernet)\n21:24:51.199237 IP centos62.ehowstuff.local.ssh &gt; 192.168.1.52.pq-lic-mgmt: Flags [P.], seq 693745553:693745685, ack 4148082568, win 17688, options [nop,nop,TS val 943254 ecr 136793], length 132\n21:24:51.201339 IP 192.168.1.52.pq-lic-mgmt &gt; centos62.ehowstuff.local.ssh: Flags [P.], seq 1:53, ack 132, win 17232, options [nop,nop,TS val 136793 ecr 943254], length 52\n21:24:51.241386 IP centos62.ehowstuff.local.ssh &gt; 192.168.1.52.pq-lic-mgmt: Flags [.], ack 53, win 17688, options [nop,nop,TS val 943296 ecr 136793], length 0\n<\/pre>\n<p>6. tcpdump allows you to define port range as bellow for capturing packets based on a range of tcp port. Examples below will capture the packet from port 21 until 80.<\/p>\n<pre># tcpdump tcp portrange 21-80\n<\/pre>\n<p>I hope this article gives you some ideas and essential guidance on how to use tcpdump Command with Examples on Linux CentOS 5\/CentOS 6\/CentOS 7\/RHEL 5\/RHEL 6 \/ RHEL 7<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tcpdump is a tool to dump the traffic on a network. It&#8217;s a packet sniffer that able to capture traffic that passes through a machine. It operates on a packet&#8230;<\/p>\n","protected":false},"author":6,"featured_media":2614,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wds_primary_category":0,"footnotes":""},"categories":[2055],"tags":[1244,1253,1536,2109,1715],"class_list":["post-2619","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-centos","tag-centos","tag-centos-6-2","tag-linux","tag-monitoring","tag-rhel-6"],"_links":{"self":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/2619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/comments?post=2619"}],"version-history":[{"count":0,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/2619\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media\/2614"}],"wp:attachment":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media?parent=2619"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/categories?post=2619"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/tags?post=2619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}