6.6 KiB
6.6 KiB
tcpdump
Overview
tcpdump is a powerful command-line packet analyzer used to capture and inspect network traffic in real time. It is widely used by DevOps engineers, network administrators, and security professionals for troubleshooting, monitoring, and debugging network-related issues.
It works by intercepting packets flowing through a network interface and displaying them based on defined filters.
How tcpdump Works
Packet Capture Mechanism
tcpdump relies on the libpcap library to capture packets. The process involves:
-
Network Interface Access
- tcpdump attaches to a network interface (e.g.,
eth0,ens33,wlan0).
- tcpdump attaches to a network interface (e.g.,
-
Promiscuous Mode
- By default, tcpdump can enable promiscuous mode, allowing it to capture all packets on the network segment, not just those addressed to the host.
-
Kernel-Level Filtering
- Uses Berkeley Packet Filter (BPF) to filter packets efficiently in the kernel space before sending them to user space.
-
Packet Decoding
- Captured packets are decoded and printed in a human-readable format.
Installation
Linux (Debian/Ubuntu)
sudo apt update
sudo apt install tcpdump
Linux (RHEL/CentOS)
sudo yum install tcpdump
macOS
brew install tcpdump
Basic Syntax
tcpdump [options] [filter expression]
Common Options
| Option | Description |
|---|---|
-i <interface> |
Specify network interface |
-c <count> |
Capture a specific number of packets |
-n |
Disable hostname resolution |
-nn |
Disable hostname and port resolution |
-v, -vv, -vvv |
Increase verbosity |
-X |
Show packet contents in hex and ASCII |
-A |
Display packet contents in ASCII |
-w <file> |
Write output to file |
-r <file> |
Read packets from file |
-s <snaplen> |
Set capture size |
-D |
List available interfaces |
Common Use Cases
1. Capture Packets on an Interface
tcpdump -i eth0
2. Capture a Limited Number of Packets
tcpdump -i eth0 -c 10
3. Disable Name Resolution (Faster Output)
tcpdump -nn -i eth0
4. Capture and Save to File
tcpdump -i eth0 -w capture.pcap
5. Read from a Capture File
tcpdump -r capture.pcap
Filtering with BPF (Berkeley Packet Filter)
Filters are the most powerful feature of tcpdump.
Basic Structure
tcpdump [options] 'filter expression'
Filter Types
Host Filter
tcpdump host 192.168.1.1
Source/Destination Filter
tcpdump src 192.168.1.1
tcpdump dst 192.168.1.1
Port Filter
tcpdump port 80
tcpdump src port 443
tcpdump dst port 22
Protocol Filter
tcpdump tcp
tcpdump udp
tcpdump icmp
Network Filter
tcpdump net 192.168.1.0/24
Combining Filters
Logical Operators
| Operator | Meaning |
|---|---|
and |
Both conditions must match |
or |
Either condition matches |
not |
Negates the condition |
Examples
tcpdump tcp and port 80
tcpdump host 192.168.1.1 and port 22
tcpdump not port 22
tcpdump tcp and (port 80 or port 443)
Packet Output Interpretation
Example output:
14:32:10.123456 IP 192.168.1.10.54321 > 93.184.216.34.80: Flags [S], seq 123456, win 65535
Breakdown
| Field | Description |
|---|---|
| Timestamp | Packet capture time |
| Protocol | IP, ARP, etc. |
| Source | Source IP and port |
| Destination | Destination IP and port |
| Flags | TCP flags (SYN, ACK, FIN, etc.) |
| seq | Sequence number |
| win | Window size |
TCP Flags
| Flag | Meaning |
|---|---|
| SYN | Connection initiation |
| ACK | Acknowledgment |
| FIN | Connection termination |
| RST | Reset connection |
| PSH | Push data immediately |
| URG | Urgent data |
Advanced Usage
1. Capture HTTP Traffic
tcpdump -i eth0 -A port 80
2. Capture HTTPS Traffic (Metadata Only)
tcpdump -i eth0 port 443
3. Capture DNS Queries
tcpdump -i eth0 port 53
4. Capture Traffic Between Two Hosts
tcpdump host 192.168.1.1 and 192.168.1.2
5. Capture Large Packets Fully
tcpdump -i eth0 -s 0
Writing and Analyzing PCAP Files
Capture to File
tcpdump -i eth0 -w traffic.pcap
Analyze with tcpdump
tcpdump -r traffic.pcap
Integration with Wireshark
- Export
.pcapfiles and analyze using GUI tools like Wireshark.
Performance Considerations
- Use
-nor-nnto reduce DNS lookups. - Apply filters to minimize captured data.
- Avoid capturing full packets unless necessary (
-s 0). - Use
-cto limit capture size.
Security and Permissions
- Requires root or sudo privileges:
sudo tcpdump -i eth0
- Be cautious when capturing sensitive data (credentials, tokens).
Troubleshooting Scenarios
1. Debugging Connectivity Issues
tcpdump -i eth0 host <target-ip>
2. Checking Open Ports
tcpdump -i eth0 tcp port 22
3. Investigating Packet Loss
- Look for retransmissions and duplicate ACKs.
4. Diagnosing DNS Problems
tcpdump -i eth0 port 53
Best Practices
- Always filter traffic to reduce noise.
- Capture only what is necessary.
- Store captures securely.
- Use rotation when capturing long sessions:
tcpdump -i eth0 -w file_%Y%m%d%H%M%S.pcap
Limitations
- Cannot decrypt encrypted traffic (e.g., HTTPS).
- High traffic environments may drop packets.
- Output can become overwhelming without filters.
Alternatives and Complementary Tools
tshark(CLI version of Wireshark)wireshark(GUI packet analyzer)ngrep(network grep tool)iftop/nload(bandwidth monitoring)
Summary
tcpdump is an essential tool in a DevOps engineer’s toolkit for low-level network inspection. Mastery of filtering, efficient capture strategies, and output interpretation enables effective debugging and monitoring of complex distributed systems.