How to Use tcpdump
Tcpdump is a widely-used command-line tool that allows you to capture and analyze network traffic. It is a powerful tool for network administrators, security researchers, and anyone working with computer networks. In this article, we will provide a beginner’s guide to using tcpdump.
First, you need to install tcpdump on your system. Tcpdump is available for most Unix-like operating systems, including Linux, macOS, and FreeBSD. To install tcpdump, open a terminal window and type the following command:
$ sudo apt install tcpdump
Once tcpdump is installed, you can start capturing network traffic by running the following command:
$ sudo tcpdump -i interface
In this command, “interface” is the name of the network interface you want to capture traffic on. For example, if you want to capture traffic on the eth0 interface, the command would be:
$ sudo tcpdump -i eth0
By default, tcpdump will capture all network traffic on the specified interface. This includes both incoming and outgoing traffic. If you want to capture only incoming or outgoing traffic, you can use the “src” or “dst” options. For example, to capture only incoming traffic from a specific IP address, use the following command:
$ sudo tcpdump -i eth0 src 192.168.1.2
Similarly, to capture only outgoing traffic to a specific IP address, use the following command:
$ sudo tcpdump -i eth0 dst 192.168.1.2
Tcpdump also allows you to filter traffic based on various criteria such as protocol, port number, packet length, etc. For example, if you want to capture only HTTP traffic, use the following command:
$ sudo tcpdump -i eth0 tcp port 80
In this command, “tcp” is the protocol (you can also use “udp” or “icmp”), and “80” is the port number for HTTP.
Once tcpdump is capturing traffic, you can view the packets in real-time as they are captured. Alternatively, you can save the captured packets to a file for later analysis. To save packets to a file, use the ” -w” option followed by the name of the file. For example, the following command will capture traffic on the eth0 interface and save it to a file called “capture.pcap”:
$ sudo tcpdump -i eth0 -w capture.pcap
To view the captured packets, you can use a packet analyzer tool such as Wireshark. Wireshark allows you to view and analyze network traffic in detail, including protocol-specific details such as HTTP headers, DNS queries, etc.