Wireshark alternative ➡️ tcpdump (Linux)

Shone Pious
Sep 1, 2023
4 min read

Updated: Sep 29, 2023

In this blog:

What is tcpdump?
Installation.
Usage.
Saving captures to a file.
Filtering output.
Expressions.
The end?

➡️ See my Wireshark blog here. ➡️ See my blog on uncovering network attacks using Wireshark here.

➡️ See my blog on understanding TCP packets in tcpdump here.

What is tcpdump?

Tcpdump is a command line alternative to Wireshark and runs natively on Linux based operating systems.

The tool is not as feature rich as Wireshark but can be faster and more efficient in capturing and displaying packets, hence why many network admins and security professionals like using tcpdump for quick analysis.

Being a command line tool allows it to be run on remote servers to troubleshoot networks where a gui may not be available. The .PCAP files can then be analysed with Wireshark later.

Most Linux distributions come with tcpdump installed, so your distro might already have it downloaded.

To check if you have it, type which tcpdump and the path to the software will be displayed if it is on the system.

Installation

To download, open the Linux terminal and type ➡️

Sudo apt-get install tcpdump

Then type your admin password. Sudo stands for ‘superuser do’.

The library libcap (used for packet captures must be on the system too).

This will be downloaded as a dependency during install.

To get more information on the tool type ➡️

man tcpdump

to display the manual.

Usage

To see what interfaces are available for us to capture packets on, run the command ➡️

tcpdump --list-interfaces

The interface any allows us to capture packets on any interface so we can use this.

Run the command ➡️

sudo tcpdump --interface any

In this instance, I interrupted the process after capturing almost 3000 packets.

You can disable name resolution using -n and port resolution by using -nn.

Tcpdump can also be limited to the number of packets it captures by using the -c<number of packets> flag.

This makes it easier to quickly troubleshoot networks.

Since the domain name servers don't need to be connected to during this kind of scan, the load on the network is less and reduces network traffic.

Preventing host name and port resolution and limiting packets captured.

Saving captures to a file

Saving captures to a file is great if you have too many packets to analyse as you can let the program run and once it terminates, you can analyse the results from the file whenever you want.

To save captures to a file, use the -w flag (for writing out).

Writing our packet capture to a file named packetfile.pcap.

The file extension .pcap stands for packet capture and allows us to open the file using any packet capture software we want. By default in Kali Linux, the file is opened in Wireshark.

Verbose output

The -v flag stands for verbose output and lets us know what is happening throughout the capture.

For example, in the image above the Got 14 feedback is part of the verbose output.

Reading file in terminal

The -r flag lets us read the capture file in the terminal itself.

Opening the .pcap file starts up Wireshark so we can analyse the results.

Filtering output

Filtering by destination IP

You can filter the output in terminal.

For example, if you want to filter by destination IP, type ➡️

tcpdump -r <file_name> dst <IP address>

I removed the sudo prefix as we are not capturing packets from the network anymore.

You can Also filter by source IP by using the src flag. Type ➡️

tcpdump -r <file_name> src <IP address>

Filtering by protocol

You can filter the output for certain protocols that you want to look out for.

Just type the tcpdump command but add the protocol that you want at the end.

For example, if you want to look out for ICMP packets, type ➡️

sudo tcpdump -i any -c5 icmp

The interface flag can be shortened to -i.

Start another terminal and ping whatever website you want. I pinged 8.8.8.8, or Google.

ICMP (internet control message protocol) is the protocol used to communicate error or update messages to routers, hosts or intermediary messages.

Pinging Google for tcpdump to pick up icmp packets.

tcpdump has captured icmp messages from our connection to Google.

Filtering by host

You can filter captures by host by using the host flag. Type ➡️

Sudo tcpdump -i any -c5 host <host_name>

Again, I started another terminal and pinged bbc.com to get the connection working.

Pinging bbc.com for tcpdump to pick up packets directed at bbc.com.

tcpdump has captured only messages from our connection to bbc.com.

Filtering by port You can filter the output by port by using the port flag and providing the port number you want to filter for. Type ➡️

Sudo tcpdump -i any -c5 port 443

This command filters for port 443 which is used by web servers to redirect traffic to its destination over HTTPS via port 443.

tcpdump has captured only packets sent over port 443.

Expressions

Expressions can be used to combine multiple filters to fine comb our results even more. They can be simple or complex.

To filter for packets from source IP 143.244.38.136 and port 443,

Type ➡️

Sudo tcpdump -i any -c5 src 143.244.38.136 and port 443

To filter for packets from destination host wireshark and port 443 OR port 1023, Type ➡️

Sudo tcpdump -i any -c5 "dst wireshark and (port 443 and port 1023)"

tcpdump has captured packets sent over tcp port 443 or port 1023 and from our specified destination IP.

The end?

This blog only goes through the basics of tcpdump and barely touches on its vast capabilities.

To dissect TCP packets in tcpdump, click here.

If you want to learn more about this command line alternative to Wireshark, visit the tcpdump website.

Wireshark alternative ➡️ tcpdump (Linux)

Recent Posts

תגובות