Introduction to Tcpdump

Using Tcpdump to analyze network traffic

Vickie Li
Vickie Li
Jun 14, 2020 · 4 min read
Photo by Philipp Katzenberger on Unsplash

Tcpdump is a command-line packet analysis tool. Much like Wireshark, you can use Tcpdump to capture and analyze packets, troubleshoot connection issues, and look for potential security issues on a network. Tcpdump is a portable command-line utility that can be used even when a GUI is not available, and when Wireshark is not installed.

Today, let’s take a look at how to use Tcpdump to analyze packets! Open up your terminal and follow along.

Getting started

First, before we go on, remember that Tcpdump needs the ability to capture raw data packets and manipulate network interfaces to be able to operate. This means that you need to run Tcpdump as a superuser. So all of the commands that I will introduce today should be used with “Sudo”.

First, you can use the “-D” flag to list the interfaces available for capture.

$ sudo tcpdump -D1.en0 [Up, Running]
2.bridge0 [Up, Running]
3.p2p0 [Up, Running]
4.awdl0 [Up, Running]
5.utun0 [Up, Running]
6.en1 [Up, Running]
7.en2 [Up, Running]
8.lo0 [Up, Running, Loopback]
9.vboxnet0 [Running]
10.gif0
11.stf0

Let’s start capturing some packets. You can use the “-i” flag to specify the interface that you want to capture. Specifying “any” as the interface will capture from all active interfaces. You can also configure Tcpdump to capture a particular interface.

$ sudo tcpdump -i any
$ sudo tcpdump -i eth1

Now, you should start seeing packet details in your terminal! Tcpdump will continue to capture packets until you interrupt it by pressing “Ctrl+C”. You can also use the “-v” flag to adjust the level of verbosity in Tcpdump’s output.

$ sudo tcpdump -i any -v (Verbose output)
$ sudo tcpdump -i any -vv (Even more verbose output)
$ sudo tcpdump -i any -vvv (The most verbose output)

Tcpdump has a variety of filters that allow you to capture only packets that fit your criteria. First, you can filter capture traffic based on protocol. For example, this command will listen to all TCP connections.

$ sudo tcpdump tcp

If you are only interested in traffic for a specific port, you can use the “port” filter to target your analysis.

$ sudo tcpdump port 80

This command will capture all traffic going through port 80. If you are more specific and want to capture traffic that has port 80 as their source or destination port, you can use the following commands.

$ sudo tcpdump src port 80 (Source port is 80)
$ sudo tcpdump dest port 80 (Destination port is 80)

On the other hand, if you are only interested in traffic for a specific host, you can use the “host” filter. The “host” filter can also be combined with an “src” or “dest” filter.

$ sudo tcpdump host 1.2.3.4
$ sudo tcpdump src host 1.2.3.4 (Source host is 1.2.3.4)
$ sudo tcpdump dest host 1.2.3.4 (Destination host is 1.2.3.4)

Finally, you can even combine multiple filters in Tcpdump! You can combine filters by using boolean statements such as “and”, or “or”.

$ sudo tcpdump “src port 80” and “dst host 1.2.3.4”
$ sudo tcpdump “src port 80” or “src port 443”

Saving the output

You can save the captured packets into a file rather than printing them out by using the “-w” flag.

$ sudo tcpdump tcp -w PATH_TO_FILE

If you want Tcpdump both to save and print the packets, you can use the “ — print” flag in conjunction with the “-w” flag.

$ sudo tcpdump tcp -w PATH_TO_FILE --print

This saved file can later be read using the “-r” flag.

$ sudo tcpdump -r PATH_TO_FILE

Decoding the output

The output of Tcpdump is format dependant. A typical output line for TCP looks like this.

17:42:53.490718 IP 192.168.0.1.443 > 192.168.0.114.59509: Flags [.], ack 1, win 67, length 0

The first field, “17:42:53.490718” is the timestamp of the captured packet. Next, “IP” represents the network layer protocol, which in this case was IPv4.

The next field is the source IP and port. “ 192.168.0.1.443” means that the source IP was “192.168.0.1” and the source port was 443. Similarly, “192.168.0.114.59509” represents the destination IP and port.

“Flags [.]” represents the TCP flags. In this case, the TCP ACK flag was set. This is followed by the ACK number, “ack 1”. And the next field is the window size “win 67”, and finally, the packet length “length 0”.

There are more fields in the output for different protocol types, please check Tcpdump’s documentation for more information.

Reading packet contents

Finally, how do you read the contents of the captured packets? In Tcpdump, you can print out the packet contents by using the “-A” flag. For example, let’s say that we are trying to capture packets of some HTTP traffic.

$ sudo tcpdump port 80 -A

You can run this command then access a page using HTTP. You will see the packet contents printed out in plain text.

Host: www.example.com
Connection: keep-alive
User-Agent: Mozilla/5.0
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://www.example.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=71mapjkikro59donut84n0cfms0

Conclusion

Tcpdump is a powerful packet analysis tool. Today, we looked at the basic usages of Tcpdump. For more information about the tool, and more functionalities to explore, visit Tcpdump’s manual page here: https://www.tcpdump.org/manpages/tcpdump.1.html.

The Startup

Get smarter at building your thing. Join The Startup’s +792K followers.

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store