This comprehensive Linux guide expects that you run the following commands as root user but if you decide to run the commands as a different user then ensure that the user has
sudoaccess and that you precede each of the privileged commands withsudo
tcpdump is a network and packet analysis utility in linux/unix OSes for performing network and packet sniffing. In this tutorial, we will show you some important commands of tcpdump along with great examples to get you started with analysis of packets on your network..
This utility runs on the command line in linux/unix and a great alternative utility for Windows is known as Wireshack. It allows the user to display TCP/IP and other packets being transmitted or received over the network to which the computer is attached. Moreover, it is a free software to install and use. So lets get started with the several great example commands to perform network and packet analysis using tcpdump
Installing tcpdump
You can follow the instructions below to install the tcpdump on your system.
On Debian Based Systems
You can install the tcpdump on your debian based system by running the following command in your terminal:
root@codesposts:~$ apt install tcpdumpOn Red-Hat Based Systems
You can install the tcpdump on your debian based system by running the following command in your terminal:
root@codesposts:~$ yum install tcpdumpGeneral Syntax
The general syntax of tcpdump command is given below
root@codesposts:~$ tcpdump [OPTIONS]Capturing Packets From All Interfaces
If you run the simple tcpdump command in the terminal, it will start sniffing the packets from all the interfaces.
root@codesposts:~$ tcpdumpCapturing Packets From A Specific Interface
If you want to sniff the packets from a specific interface, you can use the option -i with the tcpdump command.
root@codesposts:~$ tcpdump -i [interface]
root@codesposts:~$ tcpdump -i ens3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
18:47:02.628600 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 1935364917:1935365125, ack 372807692, win 470, length 208
18:47:02.628899 IP 155.138.206.18.vultr.com.53067 > 108.61.10.10.choopa.net.domain: 43939+ PTR? 34.4.255.103.in-addr.arpa. (43)
18:47:02.629195 IP 108.61.10.10.choopa.net.domain > 155.138.206.18.vultr.com.53067: 43939 NXDomain 0/1/0 (131)
18:47:02.629313 IP 155.138.206.18.vultr.com.38167 > 108.61.10.10.choopa.net.domain: 29600+ PTR? 18.206.138.155.in-addr.arpa. (45)
18:47:02.629561 IP 108.61.10.10.choopa.net.domain > 155.138.206.18.vultr.com.38167: 29600 1/0/0 PTR 155.138.206.18.vultr.com. (83)
18:47:02.629830 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 208:416, ack 1, win 470, length 208
18:47:02.629882 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 416:480, ack 1, win 470, length 64
18:47:02.629943 IP 155.138.206.18.vultr.com.47165 > 108.61.10.10.choopa.net.domain: 11038+ PTR? 10.10.61.108.in-addr.arpa. (43)
18:47:02.630346 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 736:896, ack 1, win 470, length 160
18:47:02.630443 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 960:1152, ack 1, win 470, length 192
18:47:02.630539 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 1216:1408, ack 1, win 470, length 192
18:47:02.869763 IP ip-78-45-28-177.net.upcbroadband.cz.45876 > 155.138.206.18.vultr.com.ssh: Flags [P.], seq 2037935188:2037935240, ack 2163823527, win 262, options [nop,nop,TS val 1276602691 ecr 702929817], length 52
18:47:02.869930 IP 155.138.206.18.vultr.com.ssh > ip-78-45-28-177.net.upcbroadband.cz.45876: Flags [.], ack 52, win 235, options [nop,nop,TS val 702929888 ecr 1276602691], length 0
18:47:02.869964 IP ip-78-45-28-177.net.upcbroadband.cz.45876 > 155.138.206.18.vultr.com.ssh: Flags [F.], seq 52, ack 1, win 262, options [nop,nop,TS val 1276602691 ecr 702929817], length 0
18:47:02.873750 IP 155.138.206.18.vultr.com.42180 > 108.61.10.10.choopa.net.domain: 64322+ PTR? 177.28.45.78.in-addr.arpa. (43)
18:47:02.874005 IP 108.61.10.10.choopa.net.domain > 155.138.206.18.vultr.com.42180: 64322 1/0/0 PTR ip-78-45-28-177.net.upcbroadband.cz. (92)
18:47:02.874784 IP 155.138.206.18.vultr.com.ssh > ip-78-45-28-177.net.upcbroadband.cz.45876: Flags [F.], seq 1, ack 53, win 235, options [nop,nop,TS val 702929889 ecr 1276602691], length 0
18:47:02.938491 IP 103.255.4.34.20578 > 155.138.206.18.vultr.com.ssh: Flags [.], ack 1408, win 2034, length 0
18:47:02.938567 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 1408:4688, ack 1, win 470, length 3280
18:47:02.938840 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 4688:4848, ack 1, win 470, length 160
18:47:02.938850 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 4848:5088, ack 1, win 470, length 240
18:47:02.938856 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 5088:5152, ack 1, win 470, length 64
Displaying Available Interfaces
If you want to display a list of available interfaces to use with the command, you can use the option -D with the tcpdump command.
root@codesposts:~$ tcpdump -D
1.ens3 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.usbmon1 (USB bus number 1)
Capture Specific Number Of Packets
If you want to capture a specific number “n”of packets from an interface,
you can use the option -c with the tcpdump command.
root@codesposts:~$ tcpdump -c 5 -i ens3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
18:50:15.910026 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 1935432149:1935432277, ack 372827916, win 1452, length 128
18:50:15.910078 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 128:192, ack 1, win 1452, length 64
18:50:15.910134 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 192:320, ack 1, win 1452, length 128
18:50:15.910173 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20578: Flags [P.], seq 320:384, ack 1, win 1452, length 64
18:50:15.910553 IP 155.138.206.18.vultr.com.42227 > 108.61.10.10.choopa.net.domain: 21625+ PTR? 34.4.255.103.in-addr.arpa. (43)
5 packets captured
16 packets received by filter
5 packets dropped by kernel
Displaying Link-Level Header
If you want to display the link-level header in the output of the tcpdump command, you can use the option -e with the tcpdump command.
root@codesposts:~$ tcpdump -c 5 -i ens3 -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:15:43.228000 56:00:02:25:b8:d2 (oui Unknown) > fe:00:02:25:b8:d2 (oui Unknown), ethertype IPv4 (0x0800), length 182: 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2138861187:2138861315, ack 666842659, win 306, length 128
19:15:43.228054 56:00:02:25:b8:d2 (oui Unknown) > fe:00:02:25:b8:d2 (oui Unknown), ethertype IPv4 (0x0800), length 118: 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 306, length 64
19:15:43.228118 56:00:02:25:b8:d2 (oui Unknown) > fe:00:02:25:b8:d2 (oui Unknown), ethertype IPv4 (0x0800), length 182: 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 306, length 128
19:15:43.228161 56:00:02:25:b8:d2 (oui Unknown) > fe:00:02:25:b8:d2 (oui Unknown), ethertype IPv4 (0x0800), length 118: 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 306, length 64
19:15:43.228628 56:00:02:25:b8:d2 (oui Unknown) > fe:00:02:25:b8:d2 (oui Unknown), ethertype IPv4 (0x0800), length 85: 155.138.206.18.vultr.com.49611 > 108.61.10.10.choopa.net.domain: 28604+ PTR? 34.4.255.103.in-addr.arpa. (43)
5 packets captured
15 packets received by filter
4 packets dropped by kernel
Displaying Packets In ASCII
If you want to display the output of the captured packets in ASCII, you can use the option -A with the tcpdump command.
root@codesposts:~$ tcpdump -c 5 -i ens3 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:18:49.858258 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2138872979:2138873107, ack 666844131, win 306, length 128
E...t.@[email protected].."..Pe.|..'.;.P..2.X...\p..$...m....@...,.x.S.WR.....\......FS.....#.E\..g.tY4..o,.\.Oy...!...U..".NY.
.....&?..t..KG...G..:a..P{.n7P.Haj..x."........
19:18:49.858309 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 306, length 64
E..ht.@[email protected].."..Pe.|..'.;.P..2....H.S.hr.. A...H3L.r...P..!!.....C)f.V.u5fc.c..=1.[.X..t...h..]#!.
19:18:49.858364 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 306, length 128
E...t.@[email protected].."..Pe.|.S'.;.P..2.X...h"..)....$.Vu.2..:?..X.>[.B.N.......g........G-..RX....]!L|..=.Z........-.).=..........R.....5..g.U..[.2.....T.....w.X.....3.|.
19:18:49.858405 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 306, length 64
E..ht.@[email protected].."..Pe.|..'.;.P..2.....+.....qh........^s.."...h.l.6...K.......ccd.ZG.-.E$zu B.......E
19:18:49.858918 IP 155.138.206.18.vultr.com.59315 > 108.61.10.10.choopa.net.domain: 58087+ PTR? 34.4.255.103.in-addr.arpa. (43)
E..G..@[email protected]=
...5.3.(.............34.4.255.103.in-addr.arpa.....
5 packets captured
16 packets received by filter
6 packets dropped by kernel
Displaying Packets In Hex And ASCII
If you want to display the output of the captured packets in Hex and ASCII, you can use the option -XX with the tcpdump command.
root@codesposts:~$ tcpdump -c 5 -i ens3 -XX
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:30:04.385083 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2138990819:2138990947, ack 666846835, win 452, length 128
0x0000: fe00 0225 b8d2 5600 0225 b8d2 0800 4510 ...%..V..%....E.
0x0010: 00a8 76e5 4000 4006 ed9c 9b8a ce12 67ff ..v.@[email protected].
0x0020: 0422 0016 5065 7f7e 68e3 27bf 4673 5018 ."..Pe.~h.'.FsP.
0x0030: 01c4 d658 0000 7acf 88c5 c83e 9417 73b5 ...X..z....>..s.
0x0040: a85d 575a 6f5a 5710 5d1e bb70 0c82 1c93 .]WZoZW.]..p....
0x0050: 6664 6a60 8346 e880 d6b0 d43f 38dc a42d fdj`.F.....?8..-
0x0060: 7a84 dc40 6286 5a5f a82c c631 4c5c 3801 [email protected]_.,.1L\8.
0x0070: 6154 55fa 2afb fc4e 67a4 8bd7 b10e e772 aTU.*..Ng......r
0x0080: ec73 c536 7c35 918d 2d37 313a 014f 698d .s.6|5..-71:.Oi.
0x0090: 8351 21e7 be06 28be 9838 911c d843 4d64 .Q!...(..8...CMd
0x00a0: 03bc 6bf8 1370 ce56 eae9 9661 5ab9 a4d9 ..k..p.V...aZ...
0x00b0: 9b4c 3092 b0f5 .L0...
19:30:04.385143 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 452, length 64
0x0000: fe00 0225 b8d2 5600 0225 b8d2 0800 4510 ...%..V..%....E.
0x0010: 0068 76e6 4000 4006 eddb 9b8a ce12 67ff .hv.@[email protected].
0x0020: 0422 0016 5065 7f7e 6963 27bf 4673 5018 ."..Pe.~ic'.FsP.
0x0030: 01c4 d618 0000 97ff 547f 6fda 90e5 9693 ........T.o.....
0x0040: eed6 331a 5a8b b2e2 17ef 8ede e592 3b9c ..3.Z.........;.
0x0050: 06c5 f79a e2df 5891 5d5f c60a 1865 1275 ......X.]_...e.u
0x0060: 9b6a 56f7 eafe 574a ec60 fd99 f6a6 07ed .jV...WJ.`......
0x0070: 584a 7a45 9bd7 XJzE..
19:30:04.385198 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 452, length 128
0x0000: fe00 0225 b8d2 5600 0225 b8d2 0800 4510 ...%..V..%....E.
0x0010: 00a8 76e7 4000 4006 ed9a 9b8a ce12 67ff ..v.@[email protected].
0x0020: 0422 0016 5065 7f7e 69a3 27bf 4673 5018 ."..Pe.~i.'.FsP.
0x0030: 01c4 d658 0000 20c0 c018 6bf9 3cbb 46c2 ...X......k.<.F.
0x0040: bb89 72ef 6c88 5c46 50b5 a666 d992 6580 ..r.l.\FP..f..e.
0x0050: 6308 af04 1647 1e57 5b20 afe3 47eb e6d4 c....G.W[...G...
0x0060: ac69 35be 747f 4ac7 5aaf f611 7a7c 773d .i5.t.J.Z...z|w=
0x0070: d0ee 5f42 0166 839c 8f78 148a 0235 87b8 .._B.f...x...5..
0x0080: 1ce1 dda8 c5ca 8b6b 2576 bfab da9b 76be .......k%v....v.
0x0090: 646d a8f8 aafe bef3 3c79 5576 8bdb d91e dm......<yUv....
0x00a0: 5710 c3cb 46df 6d5d 1f7d 265e 5730 9da8 W...F.m].}&^W0..
0x00b0: 8abe e6e2 0aff ......
19:30:04.385238 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 452, length 64
0x0000: fe00 0225 b8d2 5600 0225 b8d2 0800 4510 ...%..V..%....E.
0x0010: 0068 76e8 4000 4006 edd9 9b8a ce12 67ff .hv.@[email protected].
0x0020: 0422 0016 5065 7f7e 6a23 27bf 4673 5018 ."..Pe.~j#'.FsP.
0x0030: 01c4 d618 0000 fb98 eb05 8ff5 39f4 3aac ............9.:.
0x0040: 3a58 7c32 1499 e2b3 d905 7d3a ff9d 6a54 :X|2......}:..jT
0x0050: aaa3 14dc 6438 b44c 0c4b 1884 c618 2525 ....d8.L.K....%%
0x0060: 3999 df7f 79a0 a1f5 cfb4 cb1a a6d4 d630 9...y..........0
0x0070: e5d5 e9cc 622b ....b+
19:30:04.385703 IP 155.138.206.18.vultr.com.60793 > 108.61.10.10.choopa.net.domain: 7998+ PTR? 34.4.255.103.in-addr.arpa. (43)
0x0000: fe00 0225 b8d2 5600 0225 b8d2 0800 4500 ...%..V..%....E.
0x0010: 0047 cccc 4000 4011 8df5 9b8a ce12 6c3d .G..@[email protected]=
0x0020: 0a0a ed79 0035 0033 e028 1f3e 0100 0001 ...y.5.3.(.>....
0x0030: 0000 0000 0000 0233 3401 3403 3235 3503 .......34.4.255.
0x0040: 3130 3307 696e 2d61 6464 7204 6172 7061 103.in-addr.arpa
0x0050: 0000 0c00 01 .....
5 packets captured
15 packets received by filter
6 packets dropped by kernelDisplaying Foreign IPs Numerically
If you want to display the foreign IP Addresses numerically in the output of the command, you can use the option -f with the tcpdump command.
root@codesposts:~$ tcpdump -f -i ens3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:26:28.425372 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2138877683:2138877811, ack 666845171, win 324, length 128
19:26:28.425423 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 324, length 64
19:26:28.425505 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 324, length 128
19:26:28.425548 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 324, length 64
19:26:28.426014 IP 155.138.206.18.vultr.com.45710 > 108.61.10.10.domain: 25604+ PTR? 18.206.138.155.in-addr.arpa. (45)
19:26:28.426281 IP 108.61.10.10.domain > 155.138.206.18.vultr.com.45710: 25604 1/0/0 PTR 155.138.206.18.vultr.com. (83)
Saving The Output In A File
If you want to save the captured packets through the command into a file, you can use the option -w with the tcpdump command.
root@codesposts:~$ tcpdump -i ens3 -c 5 -w packets.cap
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
5 packets captured
10 packets received by filter
0 packets dropped by kernelReading Packets From A File
If you want to read the packets from a file, you can use the option -r with the tcpdump command.
root@codesposts:~$ tcpdump -r packets.cap
reading from file abc.cap, link-type EN10MB (Ethernet)
19:33:12.208555 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2139007347:2139007491, ack 666849139, win 452, length 144
19:33:12.596689 IP 103.255.4.34.20581 > 155.138.206.18.vultr.com.ssh: Flags [.], ack 144, win 257, length 0
19:33:12.820178 IP 185.214.184.238.milecom.ru.56748 > 155.138.206.18.vultr.com.ssh: Flags [S], seq 2192690588, win 29200, options [mss 1460,sackOK,TS val 1750906526 ecr 0,nop,wscale 7], length 0
19:33:12.820248 IP 155.138.206.18.vultr.com.ssh > 185.214.184.238.milecom.ru.56748: Flags [S.], seq 3111008020, ack 2192690589, win 28960, options [mss 1460,sackOK,TS val 703622375 ecr 1750906526,nop,wscale 7], length 0
19:33:13.003412 IP 185.214.184.238.milecom.ru.56748 > 155.138.206.18.vultr.com.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 1750906709 ecr 703622375], length 0
Displaying Packets With Numbering
Is you want to display the packet numbers in the output, you can use the option --number with the tcpdump command.
root@codesposts:~$ tcpdump -i ens3 -c 5 --number
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
1 19:38:52.625074 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2139012051:2139012179, ack 666851827, win 489, length 128
2 19:38:52.625155 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 489, length 64
3 19:38:52.625229 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 489, length 128
4 19:38:52.625284 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 489, length 64
5 19:38:52.625773 IP 155.138.206.18.vultr.com.39014 > 108.61.10.10.choopa.net.domain: 56240+ PTR? 34.4.255.103.in-addr.arpa. (43)
5 packets captured
15 packets received by filter
4 packets dropped by kernel
Displaying A Quieter Output
If you want to make the output of the command shorter and easy to read, you can use the option -q with the tcpdump command.
root@codesposts:~$ tcpdump -i ens3 -c 5 -q
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:41:04.627686 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: tcp 128
19:41:04.627741 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: tcp 64
19:41:04.627797 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: tcp 128
19:41:04.627838 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: tcp 64
19:41:04.628316 IP 155.138.206.18.vultr.com.50867 > 108.61.10.10.choopa.net.domain: UDP, length 43
5 packets captured
15 packets received by filter
4 packets dropped by kernel
Capturing Only IP Packets
You can use the option -n with the tcpdump command to capture the IP packets from a specific interface.
root@codesposts:~$ tcpdump -c 5 -i ens3 -n
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:43:25.096220 IP 155.138.206.18.22 > 103.255.4.34.20581: Flags [P.], seq 2139017491:2139017619, ack 666852979, win 525, length 128
19:43:25.096274 IP 155.138.206.18.22 > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 525, length 64
19:43:25.096323 IP 155.138.206.18.22 > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 525, length 128
19:43:25.096363 IP 155.138.206.18.22 > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 525, length 64
19:43:25.096571 IP 155.138.206.18.22 > 103.255.4.34.20581: Flags [P.], seq 384:576, ack 1, win 525, length 192
5 packets captured
9 packets received by filter
0 packets dropped by kernel
Capturing Only TCP Packets
You can use the option tcp with the tcpdump command to capture the TCP packets from a specific interface.
root@codesposts:~$ tcpdump -c 5 -i ens3 tcp
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:44:53.719409 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2139020083:2139020211, ack 666853491, win 525, length 128
19:44:53.719479 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 525, length 64
19:44:53.719550 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 525, length 128
19:44:53.719602 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 525, length 64
19:44:53.721319 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 384:592, ack 1, win 525, length 208
5 packets captured
10 packets received by filter
1 packet dropped by kernel
You can also use other protocols in place of tcp e.g. udp and icmp.
Capturing Packets Through Specific Port
If you want to capture the packets through a specific port, you can use the option port with the tcpdump command
root@codesposts:~$ tcpdump -c 5 -i ens3 port 22
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:46:55.510295 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2139023203:2139023331, ack 666854323, win 525, length 128
19:46:55.510352 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 525, length 64
19:46:55.510411 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 525, length 128
19:46:55.510461 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 525, length 64
19:46:55.574799 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 384:592, ack 1, win 525, length 208
5 packets captured
9 packets received by filter
0 packets dropped by kernel
Capturing Packets From A Specific Source IP
If you want to capture the packets from a specific source IP, you can use the option src with the tcpdump command
root@codesposts:~$ tcpdump -i ens3 -c 5 src 155.138.206.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:47:50.333651 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2139027283:2139027411, ack 666856115, win 525, length 128
19:47:50.333732 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 525, length 64
19:47:50.333794 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 525, length 128
19:47:50.333834 IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 525, length 64
19:47:50.334269 IP 155.138.206.18.vultr.com.44527 > 108.61.10.10.choopa.net.domain: 23953+ PTR? 34.4.255.103.in-addr.arpa. (43)
5 packets captured
13 packets received by filter
2 packets dropped by kernel
Capturing Packets From A Specific Source IP
If you want to capture the packets from a specific source IP, you can use the option dst with the tcpdump command
root@codesposts:~$ tcpdump -i ens3 -c 5 dst 155.138.206.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:53:30.574692 IP 103.255.4.34.20581 > 155.138.206.18.vultr.com.ssh: Flags [.], ack 2139038947, win 253, length 0
19:53:30.575775 IP 108.61.10.10.choopa.net.domain > 155.138.206.18.vultr.com.60669: 26680 1/0/0 PTR 155.138.206.18.vultr.com. (83)
19:53:30.576279 IP 108.61.10.10.choopa.net.domain > 155.138.206.18.vultr.com.51273: 48355 NXDomain 0/1/0 (131)
19:53:30.579633 IP 103.255.4.34.20581 > 155.138.206.18.vultr.com.ssh: Flags [.], ack 193, win 252, length 0
19:53:30.581213 IP 108.61.10.10.choopa.net.domain > 155.138.206.18.vultr.com.51983: 49185 1/0/0 PTR 108.61.10.10.choopa.net. (80)
5 packets captured
5 packets received by filter
0 packets dropped by kernel
Omitting Timestamp From The Output
If you want to omit the timestamp from the output of the command, you can use the option -t with the tcpdump command
root@codesposts:~$ tcpdump -i ens3 -c 5 -t
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 2139030883:2139031011, ack 666857587, win 525, length 128
IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 128:192, ack 1, win 525, length 64
IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 192:320, ack 1, win 525, length 128
IP 155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], seq 320:384, ack 1, win 525, length 64
IP 155.138.206.18.vultr.com.58671 > 108.61.10.10.choopa.net.domain: 15260+ PTR? 34.4.255.103.in-addr.arpa. (43)
5 packets captured
15 packets received by filter
4 packets dropped by kernel
Displaying Detailed Output
If you want to display more detailed output of the command, you can use the option -v with the tcpdump command
root@codesposts:~$ tcpdump -i ens3 -c 5 -v
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
19:52:03.224294 IP (tos 0x10, ttl 64, id 30760, offset 0, flags [DF], proto TCP (6), length 104)
155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], cksum 0xd618 (incorrect -> 0xd4b3), seq 2139033427:2139033491, ack 666857907, win 525, length 64
19:52:03.224358 IP (tos 0x10, ttl 64, id 30761, offset 0, flags [DF], proto TCP (6), length 168)
155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], cksum 0xd658 (incorrect -> 0xf753), seq 64:192, ack 1, win 525, length 128
19:52:03.224400 IP (tos 0x10, ttl 64, id 30762, offset 0, flags [DF], proto TCP (6), length 104)
155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], cksum 0xd618 (incorrect -> 0xa381), seq 192:256, ack 1, win 525, length 64
19:52:03.224510 IP (tos 0x10, ttl 64, id 30763, offset 0, flags [DF], proto TCP (6), length 200)
155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], cksum 0xd678 (incorrect -> 0xf88d), seq 256:416, ack 1, win 525, length 160
19:52:03.224551 IP (tos 0x10, ttl 64, id 30764, offset 0, flags [DF], proto TCP (6), length 104)
155.138.206.18.vultr.com.ssh > 103.255.4.34.20581: Flags [P.], cksum 0xd618 (incorrect -> 0xb601), seq 416:480, ack 1, win 525, length 64
5 packets captured
14 packets received by filter
5 packets dropped by kernel
Displaying Only IPv6 Packets
If you want to display the packets from only IPv6 traffic, you can use the option ip6 with the tcpdump command
root@codesposts:~$ tcpdump -i ens3 ip6Capturing Packets Of A Specific Size
If you want to capture the packets of a specific size, you can run the following command.
root@codesposts:~$ tcpdump less 64
OR
root@codesposts:~$ tcpdump greater 32
OR
root@codesposts:~$ tcpdump <= 64
