TCPDUMP Command Full Tutorial | Updated 2024

Introduction

In this post, You will learn what is tcpdump, and also you will learn all the commands of tcpdump and below is the video format of the post, check it out.

To learn more about tcpdump [Click here]

Video

What is tcpdump ❓

Tcpdump is a packet capturing and Network analyzing tool. Which is mostly used as an alternative to Wireshark. The tool is not a GUI format, which means the tool is a command-line interface.

This tool by default uses libpcap library to capture all the packets.

The tool was initially released in the year 1988, and it was developed by four members they are Van Jacobson, Sally Floyd, Vern Paxson and Steven McCanne and the tool is written in c language.

That’s why I suggest my readers give a study to C language.

Advertisement

To learn more about tcpdump [Click here]

Tcpdump Useful Command

In tcpdump only three commands are very important and most often used and I mentioned them below;

-D: Display network

-c count: Exit after receiving count packets.

-i: interface: Listen on particular network

Tcpdump command

Below are the tcpdump full commands and tutorial and I hope you like it, If you have any doubt comment down below or watch the YouTube video I made.

List Interfaces

Interface are noting but the networks, To check the available network(Interface) Just enter this command

tcpdump -D

tcpdump command

Default capture

To instantly capture in tcpdump, You can just enter tcpdump, and it will start to capture packets on the current network.

tcpdump

tcpdump commands

Capturing particular network

To capture packets of any particular network then we should enter the -i command.

tcpdump -i eth0

tcpdump -i <Network>

You can specify the network

tcpdump command

Capturing specific amount of packet

Suppose if you wanted to capture only 10 packets, then you can enter the -c command.

tcpdump -i <Network> -c <packet number>

tcpdump -i eth0 -c 10

Here I am capturing 10 packets in the eth0.

tcpdump commands

Verbose mode

Almost in every tool there is a verbose and this command is very effective. The verbose mode converts the values into human-readable format.

Advertisement

If you enter -v in tcpdump you can see where is the source IP from, and you can also see where is the destination.

tcpdump -i eth0 -c 10 -v

tcpdump commands

Printing packets in ASCII text

ASCII text in tcpdump rare very effective for e.g.: If there is an IP from Google the ASCII turn it to www.google.com

Take a look at the below pic.

tcpdump -i eth0 -c 10 -A

tcpdump commands

Not converting into domains names

What if you don’t want to convert your IP’s to domain, then just enter -nn then you can see only IP address.

tcpdump -i eth0 -c 4 -nn

tcpdump command

Port Filter

In port filter, let us help to capture packet from specific port.

tcpdump -i <Network> -c <Packet numbers> port <port number>

tcpdump -i eth0 -c 5 port 80

tcpdump command

Packet filtering

Packet filtering is really great feature, but I don’t recommend doing this. In packet filtering, we can specify which packet to capture.

Advertisement

Suppose If I wanted to capture only ARP then I can mention the ARP and then we will be seeing only ARP packets captured.

tcpdump -i eth0 arp -c 5

tcpdump command

Saving capture packet

To save the packets in a file, we use the -w command and then specify the file and the output format.

tcpdump -i eth0 -c 5 -w pcap

*The output format can be in pcap or pcappng

tcpdump command

View the saved file

To view the save file, enter this command

tcpdump -r <Filename>

tcpdump -r file.pcap

tcpdump command

Dump mode

There are three levels in dump mode, they are -d, -dd, -ddd

-d: dumps the compiled matching code into a readable output.

-dd: parameter, dumps the code as a C program fragment.

-ddd: parameter and dumps code as a decimal number with a count.

tcpdump -i eth0 -c 5 -d
tcpdump -i eth0 -c 5 -dd

Finally,
tcpdump -i eth0 -c 5 -ddd

tcpdump command

Conclusion

In my opinion, tcpdump is a great tool, but I personally don’t like CLI and prefer the Wireshark(GUI).

You can use the tcpdump for just capturing and load it to Wireshark and you can work there.

Some alternatives for tcpdump are dumpcap and even Wireshark and tshark.

Advertisement


Also Read: Wireshark Full tutorial

Also Read: Dumpcap tutorial from noob to pro