Tcpdump is a network analysis tool using which one can analyze the inbound and the outbound network traffic of a system. Tcpdump is quite a powerful tool. Using various command-line options and expressions, one can filter network traffic and analyze the network packets. In this article, we will discuss how to use tcpdump for network analysis.
Installing tcpdump
tcpdump can be easily installed on a system. For example, in Ubuntu, one can install tcpdump using :
# sudo apt-get install tcpdump
Please note that one should have root privileges to run tcpdump. So, in Linux, one should run tcpdump commands with ‘sudo’.
Some basic tcpdump commands
tcpdump outputs the content of selected network packets. The output is typically preceded by a timestamp, which is printed by default as:
<hours> : <minutes> : <seconds> . <fractions of a second>
By default, tcpdump keeps printing outputs until a SIGINT signal is received. On terminating it, it prints :
- The number of packets captured
- The number of packets received by the filter used in the tcpdump command
- The number of packets dropped by the kernel, i.e., the number of packets dropped because of lack of buffer space.
1. Basic command
# sudo tcpdump -i eth0
This will output the packets captured by the interface specified (here, eth0). This output is typically preceded by timestamp, source hostname, destination hostname, and port.
2. Increase verbosity of output
The verbosity of outputs of tcpdump can be increased using the command line option -v, -vv or -vvv. Usually, the output is more verbose with -vv than with -v and more verbose with -vvv than with -vv. i.e. …
0 Comments