How Tcpdump captures and analyzes packets

Tcpdump is a powerful network analysis tool, mainly used for network traffic analysis in Linux systems and macOS. Network administrators can capture and analyze network traffic through tcpdump to conduct network sniffing and monitor TCP/IP packets. It relies on a library called "libpcap" to efficiently capture network traffic. In addition to helping network administrators identify network problems and troubleshoot problems, tcpdump also helps monitor network activity on a regular basis and check network security. The captured data is stored in a file called "pcap", which can then be further analyzed using TCP/IP packet analysis tools (such as Wireshark) or other command line tools to gain insights into network traffic and network communications. .

In this guide, we will demonstrate how to install TCPDUMP on a Linux system and how to use TCPDUMP to capture and analyze TCP/IP packets.

How to install Tcpdump

Many Linux distributions come with tcpdump pre-installed. If tcpdump is not already installed on your system, you can easily install it on your Linux system. In Ubuntu 22.04 systems, you can install tcpdump using a simple command.

$sudo apt install tcpump

To install tcpump on Fedora/CentOS, use the following command:

$sudo DNF install tcpump

How to use Tcpdump command to capture packets

To start a terminal and run tcpdump with sudo privileges to capture packets, press "Ctrl Alt t" to open the terminal. tcpdump is a powerful tool that provides many options and filters for capturing TCP/IP packets. If you wish to capture all traffic packets on the current or default network interface, just use the simple "tcpdump" command without any additional options. This way you can monitor network traffic and analyze the content and origin of packets. Remember to handle captured packets with caution when using tcpdump to avoid revealing sensitive information or violating privacy.

tcpdump

The given command captures packets from the system's default network interface.

At the end of this command execution, all captured and filtered packet counts will be displayed on the terminal.

Let's understand the output.

Tcpdump supports analysis of TCP/IP packet headers. It displays one line for each packet and the command will continue to run until you press "Ctrl C" to stop it.

Each line provided by tcpdump contains the following details:

• Unix timestamp (for example, 02:28:57.839523)
• Scheme (IP)
• Source host name or IP and port number
• Target hostname or IP and port number
• TCP flags (for example, Flags [F.]) use S (SYN), F (FIN), . (ACK), P (PUSH), R (PUSH)
• The sequence number of the data in the packet (for example, SEQ 5829:6820)
• Acknowledgment number (for example, (ACK 1016)
• Window size (for example, win 65535), indicating the available bytes in the receive buffer, followed by TCP options
• The length of the data payload (for example, length 991)

To list all listed network interfaces of the system, use the "tcpump" command with the "-D" option.

$sudo tcpump-D

or

$tcpdump——list—interruptions

This command lists all network interfaces connected or running on the Linux system.

Capture the data packets of the specified network interface

If you want to capture TCP/IP packets passing through a specific interface, use the "-i" flag with the "tcpdump" command and specify the network interface name.

$sudo tcpdump—i lo

The given command captures traffic at the "lo" interface. If you want to display packet details, use the "-v" flag. To print more comprehensive details, use the "-vv" flag with the "tcpdump" command. Regular usage and analysis helps maintain a strong and secure network environment.

Similarly, you can capture traffic for any interface using the following command:

$sudo tcpump -iany

Capture packets using a specific port

You can capture and filter packets by specifying the interface name and port number. For example, to capture network packets passing through the "enp0s3" interface using port 22, use the following command:

$tcpdump—i enp0s3 port 22

The previous command captures all flowing packets from the "enp0s3" interface.

Use Tcpdump to capture limited packets

You can use the "-c" flag and the "tcpdump" command to capture a specified number of packets. For example, to capture four packets on the "enp0s3" interface, use the following command:

$tcpdump—i enp0s3—c 4

Replace the interface name with your system's.

Useful Tcpdump commands for capturing network traffic

Below, we have listed some useful "tcpump" commands that will help you capture and filter network traffic or packets efficiently:

Using the "tcpump" command, you can capture packets for an interface with a defined destination IP or source IP.

$tcpdump—i {interface—name} dst {destination—ip}

You can capture packets with a snapshot size of 65535 bytes, which is different from the default size of 262144 bytes. In older versions of tcpdump, the capture size was limited to 68 or 96 bytes.

$tcpdump—i enp0s3—s 65535

How to save captured packets to a file

If you want to save the captured data to a file for further analysis, you can do so. If it captures the traffic of the specified interface, then saves it into a ".pcap." file. Store the captured data to a file using the following command:

$tcpdump—i—s 65535—w. pcap

For example, we have the "enps03" interface. Save this captured data to the following file:

$sudo tcpdump—i enps03—w dump. pcap

In the future, you can use Wireshark or other network analysis tools to read this captured file. Therefore, if you want to use Wireshark to analyze packets, use the "-w" parameter and save it to a ".pcap" file.

in conclusion

In this tutorial, we demonstrate how to use tcpump to capture and analyze packets through different examples. We also learned how to save captured traffic to a ".pCap" file, which you can view and analyze using Wireshark and other network analysis tools.

The above is the detailed content of How Tcpdump captures and analyzes packets. For more information, please follow other related articles on the PHP Chinese website!