tcpdump comes standard on Ubuntu servers and is an invaluable tool in determining traffic coming in and out of a host.
As network infrastructures have become more complex and security conscious, validating network flow from client hosts through potentially multiple proxies and ultimately to a destination host and port has become more important than ever.
Let me list a few of the more common use cases.
Basic Invocation
As a basic filter, we will always specify which network interface we want to capture traffic on, so the first command you usually want to run is a listing of all the available network interfaces.
# tcpdump -D
The most basic invocation would then be to capture all traffic coming from one of those interfaces (let’s say eth0), like:
# tcpdump -i eth0
Note that tcpdump only takes the first 96 bytes of the packet by default. If you want to take it all use the ‘-s0’ switch. And if you want to print the packet in ASCII or HEX, then you can use the -A or -X switch.
For example, just like the example above, this will capture all eth0 traffic, but this time in verbose mode with hex display of the full packet contents.
# tcpdump -i eth0 -vvXX -s0
Expressions
In addition to the various switches, tcpdump allows an evaluated expression as the final parameter that provides rich flexibility to filter the packets being captured. This expression is directly passed to the underlying libpcap library which does the actual packet capture.
# tcpdump [switches] [expression]
Using this expression, you can filter on various values including: source host, destination host, network CIDR, port, protocol type, tcp flags, and vlan. Let’s go through a few basic expressions below.
Packets between a remote host
If you are logged into a client host and want to validate both the incoming and outgoing packets from a remote host:
# tcpdump -i <interface> host <remoteAddress>
Packets coming from a remote host
If you are logged into a host, and want to validate the packets coming in from a remote host:
# tcpdump -i <interface> src host <remoteHost>
Packets coming into port
If you need to see all the packets coming into a particular port:
# tcpdump -i <interface> port <port>
Using the BPF syntax, these filter can even be combined to filter based on remote host and port (and,or,not):
# tcpdump -i <interface> src host <remoteHost> and port <port>
Packets sent to remote host and port
If we have a specific client communication to a remote host that we are trying to troubleshoot, we can capture that as well:
# tcpdump -i <interface> host <remoteHost> and port <destPort>
Advanced Filters
The filter syntax even allows looking at flags within the TCP packet for those who require it, such as showing only the ACK packets:
# tcpdump -i <interface> 'tcp[13] &16!=0'
Wireshark compatible
If you want to analyze the capture later with Wireshark, make sure to use the “-w” switch.
# tcpdump -i <interface> -s 65535 -w wireshark.cap
Problems capturing packets
If you do not see all the traffic you expect, read the FAQ here.
REFERENCES
http://www.tcpdump.org/faq.html
http://manpages.ubuntu.com/manpages/zesty/man8/tcpdump.8.html
http://linux-circles.blogspot.com/2012/11/how-to-capture-packets-with-tcpdump.html
http://www.tcpdump.org/manpages/pcap-filter.7.html
http://www.workrobot.com/sysadmin/security/tcpdump_expressions.html
https://support.rackspace.com/how-to/capturing-packets-with-tcpdump/
https://danielmiessler.com/study/tcpdump/#gs.1PiGzW4
vlan filter issues; https://www.snellman.net/blog/archive/2015-05-18-whats-wrong-with-pcap-filters/
http://www.slashroot.in/packet-capturing-tcpdump-command-linux
http://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/
Wireshark compatible tcpdump capture
middlewareinventory.com, how to capture GET and POST from tcpdump