Linux Commands

A Guide to Network Traffic Analysis Utility: TCPDUMP

Tcpdump is a network packet sniffing command-line utility. It is most commonly used for troubleshooting networks and testing security issues. Despite the absence of a graphical user interface, it’s the most popular, powerful, and versatile command-line utility.

It is native to Linux such that most of the Linux distributions install it as a part of the standard OS. Tcpdump is a libpcap interfaced program, which is a library for network datagram capture.

This article will demystify tcpdump by showing how to capture, read, and analyze captured network traffic in this utility. We will later use our understanding to inspect data packets with the advanced TCP flag filters.

Tcpdump Installation

Tcpdump default installation in your distro depends on the options selected during the installation process. In the case of custom installation, it’s possible that the package is not available. You can check tcpdump installation by using the dpkg command with the “-s” option.

ubuntu$ubuntu:~$ dpkg -s tcpdump

Or use the command “sudo apt-get install tcpdump” to install tcpdump in the Ubuntu Linux.

Capturing Packets in Tcpdump:

To begin the capture process, we first need to find our working interface using the “ifconfig” command. Or we can list all the available interfaces using the tcpdump command with the “-D” option.

ubuntu$ubuntu:~$ tcpdump -D

To begin the capture process, you can use the syntax;

tcpdump [-options] [expression]

For instance, in the command below, we use the “-i” option to capture traffic on the “enp0s3” interface, with a “-c” flag to limit the captured packets and write “-w” it to a test_capture.pcap file.

ubuntu$ubuntu:~$ sudo tcpdump -i enp0s3 -c 20 -w /tmp/test_capture.pcap

Similarly, you can use various filter combinations to isolate traffic as per your requirement. One such example includes capturing network data leaving and arriving at the host using the host command for a specific port. Moreover, I have used the “-n” flag to prevent tcpdump from capturing DNS lookups. This flag is very helpful in saturating traffic while troubleshooting the network.

ubuntu$ubuntu:~$ sudo tcpdump -i enp0s3 -c 20 host 10.0.2.15 and dst port 80 -w /tmp/test_capture1.pcap

tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

20 packets captured

21 packets received by filter

0 packets dropped by kernel

We use the “and” command to only capture packets containing host 10.0.2.15 and destination port 80. Similarly, various other filters can be applied to ease troubleshooting tasks.

If you do not want to use the “-c” flag to limit capture traffic, you can use an interrupt signal, i.e., Ctrl+C, to stop the isolation process.

Reading Tcpdump Files

Reading tcpdump captured files can be a lot overwhelming. By default, tcp assigns names to IP addresses and ports. We will use the “-r” flag to read our already captured file test_capture.pcap saved in the /tmp folder. We will pipe the output to awk command to only output the source IP address and ports and pipe it to the command head to only display the first 5 entries.

ubuntu$ubuntu:~$ sudo tcpdump -r /tmp/test_capture1.pcap | awk -F “ ” ‘print{$3}| head -5

reading from file /tmp/test_capture.pcap, link-type EN10MB (Ethernet)

IP ubuntu.53298

IP ubuntu.53298

IP ubuntu.53298

IP ubuntu.53298

IP ubuntu.53298

However, it is recommended to use IP addresses and ports in numbers to resolve networking issues. We will disable IP name resolution with the “-n” flag and port names with “-nn“.

ubuntu$ubuntu:~$ sudo tcpdump -i enp0s3 -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

20:08:22.146354 IP 10.0.2.15.54080 > 172.67.39.148.443: Flags [P.], seq 1276027591:1276027630, ack 544039114, win 63900, length 39

20:08:22.146745 IP 10.0.2.15.43456 > 54.204.39.132.443: Flags [P.], seq 3381018839:3381018885, ack 543136109, win 65535, length 46

20:08:22.147506 IP 172.67.39.148.443 > 10.0.2.15.54080: Flags [.], ack 39, win 65535, length 0

20:08:22.147510 IP 54.204.39.132.443 > 10.0.2.15.43456: Flags [.], ack 46, win 65535, length 0

20:08:22.202346 IP 216.58.209.142.443 > 10.0.2.15.41050: Flags [P.], seq 502925703:502925826, ack 1203118935, win 65535, length 123

20:08:22.202868 IP 10.0.2.15.41050 > 216.58.209.142.443: Flags [P.], seq 1:40, ack 123, win 65535, length 39

Understanding Captured Output

Tcpdump captures many protocols, including UDP, TCP, ICMP, etc. It isn’t easy to cover all of them here. However, it’s important to understand how the information is displayed and what parameters it includes.

Tcpdump displays each packet in a line, with a timestamp and information with respect to the protocol. Generally, the format of a TCP protocol is as follows:

<timestamp> <protocol> <src ip>.<src port> > <dst ip>.<dst port>: <flags>, <seq>, <ack>, <win size>, <options>, <data length>

Let’s explain one of the captured packet fields by field:

20:08:22.146354 IP 10.0.2.15.54080 > 172.67.39.148.443: Flags [P.], seq 1276027591:1276027630, ack 544039114, win 63900, length 39
  • 20:08:22.146354: Timestamp of the captured packet
  • IP: Network layer protocol.
  • 10.0.2.15.54080: This field contains the source IP address and source port.
  • 172.67.39.148.443: This field represents the destination IP address and port number.
  • Flags[P.]/<flags>: The flags represent the connection state. In this case, [P.] indicates the PUSH acknowledgment packet. The flag field also includes some other values like:
    1. S: SYN
    2. P: PUSH
    3. [.]: ACK
    4. F: FIN
    5. [S.]: SYN_ACK
    6. R: RST
  • seq 1276027591:1276027630: The sequence number in the first: the last format denotes the number of data in the packet. Excluding the first packet where the numbers are in absolute, the subsequent packets have relative numbers. In this case, the numbers here mean that the packet contains data bytes from  1276027591 to 1276027630.
  • ack 544039114: The acknowledgment number depicts the next expected data sequence number.
  • win 63900: The window size depicts the number of available bytes in the received buffer.
  • length 39: Length of payload data, in bytes.

Advanced Filters

Now we can use some advanced heading filter options to display and analyze only data packets. In any TCP packet, the TCP flags begin from the 14th byte such that  PSH and ACK are represented by 4th and 5th bits.

We can use this information by turning on these bits 00011000 or 24 to display data packets with only PSH and ACK flags. We pass this number to tcpdump with the filter “tcp[13]=24“, note that the array index in TCP begins at zero.

We will filter out this packet from our text_capture.pcap file and use the -A option to display all the packet details for you.

Similarly, you can filter out some other flag packets using “tcp[13]=8” and “tcp[13]=2” for only PSH and SYN flags, etc.

ubuntu$ubuntu:~$ sudo tcpdump -A 'tcp[13]=24' -r /tmp/test_capture.pcap

reading from file /tmp/test_capture.pcap, link-type EN10MB (Ethernet)

19:26:17.827902 IP ubuntu.53298 > 32.121.122.34.bc.googleusercontent.com.http: Flags [P.], seq 4286571276:4286571363, ack 252096002, win 64240, length 87: HTTP: GET / HTTP/1.1

E...:?@.@.X.

..."zy .2.P........P.......GET / HTTP/1.1

Host: connectivity-check.ubuntu.com

Accept: */*

Connection: close

Conclusion

In this article, we have introduced you to some of the most important topics of tcpdump. Tcpdump, combined with the power of CLI, can be of great help in network troubleshooting, automation, and security management. Once studied and combined, its filters and command line options can contribute a lot to your day-to-day troubleshooting and automation tasks and overall understanding of the network.

About the author

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14