How to install & learn to monitor Linux network using TCPDUMP with Examples

Network monitoring is one of the crucial tasks of an administrator. Once any issue identified, then you can resolve it using various linux network monitoring commands. Let’s discuss one of the Linux networking command-line utility called Tcpdump Command. Tcpdump command is a network packet analyzer that helps us to monitor our network traffic. You can use this command to check the TCP\IP & other network packets being transmitted over the network interfaces attached to our machines.

Tcpdump uses libpcap library to capture the network packets. To run tcpdump command requires root user or a user with sudo privileges. You can check the network packets in real-time and save it to a file. Here, you will see how to install & learn to monitor Linux network using tcpdump with Examples.

Installing TCPDUMP package in Linux

In most most of the Linux distributions, tcpdump package already installed. You can check whether tcpdump installed in your distribution using below command.

  • RHEL/CentOS
$ rpm -qa | grep {package-name}

$ rpm -qa | grep tcpdump

#output
tcpdump-4.9.2-4.el7_7.1.x86_64
  • Ubuntu/Debian
$ dpkg -s {package-name}

$ dpkg -s tcpdump

#output
Package: tcpdump
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 1087
Maintainer: Ubuntu Developers <[email protected]>
Architecture: amd64
Multi-Arch: foreign
Version: 4.9.3-4

In above examples, tcpdump package is installed. if it’s not installed in your system then you can use the following commands to install it in your system.

  • RHEL/CentOS  6 or 7
$ sudo yum install tcpdump -y
  • RHEL/CentOS 8
$ sudo dnf install tcpdump -y
  • Ubuntu/Debian
$ sudo apt install tcpdump -y

As tcpdump is installed in your system now.  let’s learn how we can use it to monitor our network traffic.

TCPDUMP Command examples

Let’s understand multiple scenario of tcpdump command line utility.

Check network traffic from all network interface

When you execute tcpdump command with any option, it will capture all the packets flowing through all the interfaces.

$ sudo tcpdump -i any

00:55:10.313508 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 167424, win 513, length 0
00:55:10.313855 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 167424:167712, ack 2401, win 501, length 288
00:55:10.314379 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 167712:167888, ack 2401, win 501, length 176
00:55:10.314666 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 167888, win 511, length 0
00:55:10.315001 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 167888:168176, ack 2401, win 501, length 288

Capture packets from a particular ethernet interface

When you execute tcpdump command with -i option , it allows you to capture all the packets flowing through on a particular ethernet interface.

$ sudo tcpdump -i ens33

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:56:08.081407 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 181457946:181458074, ack 2089577887, win 501, length 128
00:56:08.081973 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 128:192, ack 1, win 501, length 64
00:56:08.082260 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 192, win 4104, length 0
00:56:08.082420 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 192:320, ack 1, win 501, length 128
00:56:08.082683 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 320:384, ack 1, win 501, length 64
00:56:08.082907 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 384, win 4103, length 0

Capture only N number of packets

Once you run tcpdump command gives packets information until you cancel the tcpdump command. Using -c option provides an additional functionality, you can specify the number of packets to capture.

$  sudo tcpdump -c 2 -i ens33

listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:18:12.651448 IP thecodecloud.in.ssh > 192.168.72.1.52302: Flags [P.], seq 3371953783:3371953911, ack 1846722933, win 501, length 128
00:18:12.652029 IP thecodecloud.in.ssh > 192.168.72.1.52302: Flags [P.], seq 128:192, ack 1, win 501, length 64
2 packets captured
20 packets received by filter
0 packets dropped by kernel

Getting captured network packets to a file

tcpdump allows you to save the packets into a file, so that after some time you can use the packet file for further analysis. The file extension should be .pcap which can be read by any network protocol analyzer.

$ sudo tcpdump -i ens33 -w 05102020.pcap

tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
13 packets captured
13 packets received by filter
0 packets dropped by kernel

Reading a network packets file

You can read the captured captured packets in pcap file and view the packets for analysis, as follows:

$ sudo tcpdump -r 05102020.pcap

reading from file 05102020.pcap, link-type EN10MB (Ethernet)
01:01:08.673261 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 181736874:181736938, ack 2089583615, win 501, length 64
01:01:08.673973 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 64:192, ack 1, win 501, length 128
01:01:08.674248 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 192, win 4106, length 0
01:01:08.674455 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 192:256, ack 1, win 501, length 64
01:01:08.714756 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 256, win 4106, length 0
01:01:10.079227 ARP, Request who-has thecodecloud.in (00:0c:29:bc:ff:30 (oui Unknown)) tell 192.168.72.1, length 46
01:01:10.079262 ARP, Reply thecodecloud.in is-at 00:0c:29:bc:ff:30 (oui Unknown), length 28
01:01:15.133047 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [P.], seq 1:49, ack 256, win 4106, length 48
01:01:15.176985 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [.], ack 49, win 501, length 0
01:01:25.146097 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [P.], seq 49:97, ack 256, win 4106, length 48
01:01:25.146217 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [.], ack 97, win 501, length 0

Capture packets with IP address

In all the previous examples, it prints packets with the DNS address, but not the ip address. The following scenario captures the packets and it will display the IP address of the involved systems.

$  sudo tcpdump -n -i ens33

01:14:28.574456 IP 192.168.72.1.52428 > 192.168.72.128.22: Flags [.], ack 324208, win 4102, length 0
01:14:28.574653 IP 192.168.72.128.22 > 192.168.72.1.52428: Flags [P.], seq 324208:324496, ack 4641, win 501, length 288
01:14:28.646218 IP 192.168.72.1.52428 > 192.168.72.128.22: Flags [P.], seq 4641:4705, ack 324208, win 4102, length 64

Capture packets with readable timestamp

You can get proper readable timestamp of each packet using -tttt option with tcpdump command.

$  sudo tcpdump -n -tttt -i ens33

2020-10-05 01:17:41.851032 IP 192.168.72.1.52428 > 192.168.72.128.22: Flags [.], ack 503936, win 4106, length 0
2020-10-05 01:17:41.851263 IP 192.168.72.128.22 > 192.168.72.1.52428: Flags [P.], seq 503936:504240, ack 7361, win 501, length 304
2020-10-05 01:17:41.852083 IP 192.168.72.1.52428 > 192.168.72.128.22: Flags [P.], seq 7361:7425, ack 504240, win 4105, length 64
2020-10-05 01:17:41.852382 IP 192.168.72.128.22 > 192.168.72.1.52428: Flags [P.], seq 504240:504432, ack 7425, win 501, length 192

Check packets for a protocol or port number

You can check all the packets used based on the protocol by using tcpdump command using port option.

$ sudo tcpdump -i ens33 port 22

01:24:17.744667 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 292992:293280, ack 4369, win 501, length 288
01:24:17.745294 IP thecodecloud.in.ssh > 192.168.72.1.52428: Flags [P.], seq 293280:293456, ack 4369, win 501, length 176
01:24:17.745805 IP 192.168.72.1.52428 > thecodecloud.in.ssh: Flags [.], ack 293456, win 4102, length 0

Capture packets for particular destination IP and Port

The packets have source and destination IP and port numbers. With tcpdump you can apply filters on source or destination IP and port number. Let’s understand how it goes.

$ sudo tcpdump -w host2.pcap -i ens33 dst 192.168.72.130 and port 22

Check network packets for a single IP address

You can capture network packets for a single IP address, whether source or destination or both, use the below command,

$ sudo tcpdump host 192.168.72.130

For getting packets based on source or destination of an IP address, use

$ sudo tcpdump src 192.168.72.130

$ sudo tcpdump dst 192.168.72.130
  • Using AND

You can use ‘AND’ or symbol ‘&&’ to combine two or more conditions  with tcpdump utility.

$ sudo tcpdump src 192.168.72.130 && port 22 -w ssh_packets.pcap
  • Using OR

It will check the command mentioned conditions, one condition should be true from two conditions.

$ sudo tcpdump src 192.168.72.130 or dst 192.168.72.129 && port 22 -w ssh_packets.pcap
$ sudo tcpdump -i ens33 port 80 or 443 -w http_packets.pcap
  • Using EXCEPT

It will be used when you want to ignore something to fulfill a condition. Here we will use not with tcpdump command.

$ sudo tcpdump -i ens33 src port not 22

This will capture all the traffic on ens33 but will ignore port 22.

Conclusion

Hence you learnt how to install & learn to monitor Linux network using tcpdump with Examples. I hope you got better understanding. Stay tuned for more tricks and tips on linux.

Read Also : How to Schedule Cron Jobs with Crontab in Linux

Share on:

Ravindra Kumar

Hi, This is Ravindra. I am founder of TheCodeCloud. I am AWS Certified Solutions Architect Associate & Certified in Oracle Cloud as well. I am DevOps and Data Science Enthusiast.

Recommended Reading..

Leave a Comment