Packet Analyzer

7/23/2019 Packet Analyzer

1/9

Packet Analyzer: 15 TCPDUMP Command Examples

tcpdump command is also called as packet analyzer.

tcpdump command ill ork on most !la"ors o! unix operatin# system. tcpdump

allos us to sa"e t$e packets t$at are captured% so t$at e can use it !or !uture

analysis. T$e sa"ed !ile can &e "ieed &y t$e same tcpdump command. 'e can also

use open source so!tare like ires$ark to read t$e tcpdump pcap !iles.

(n t$is tcpdump tutorial% let us discuss some practical examples on $o to use t$e

tcpdump command.

1. Capture packets !rom a particular et$ernet inter!ace usin#tcpdump )i

'$en you execute tcpdump command it$out any option% it ill capture all t$e

packets !loin# t$rou#$ all t$e inter!aces. )i option it$ tcpdump command% allos

you to !ilter on a particular et$ernet inter!ace.

$ tcpdump -i eth1

14:59:26.608728 IP xx.domain.netbcp.net.52497 > a!h4.!e!!.net.""h: . ac# 540 in

16554

14:59:26.610602 IP %e"o!e%.!e!!.net.domain > a!h4.!e!!.net.24151: 4278 1&0&0 '7()

14:59:26.611262 IP a!h4.!e!!.net.(8527 > %e"o!e%.!e!!.net.domain: 26(64* P+,

244.207.104.10.in-add%.a%pa. '45)

(n t$is example% tcpdump captured all t$e packets !los in t$e inter!ace et$1 and

displays in t$e standard output.

Note: Editcaputility is used to select or remo"e speci!ic packets !rom dump !ile andtranslate t$em into a #i"en !ormat.
http://www.thegeekstuff.com/2009/02/editcap-guide-11-examples-to-handle-network-packet-dumps-effectively/http://www.thegeekstuff.com/2009/02/editcap-guide-11-examples-to-handle-network-packet-dumps-effectively/


2/9

*. Capture only + num&er o! packets usin# tcpdump )c

'$en you execute tcpdump command it #i"es packets until you cancel t$e tcpdump

command. Usin# )c option you can speci!y t$e num&er o! packets to capture.

$ tcpdump -c 2 -i eth0

!i"tenin on eth0/ !in#-tpe 103 'the%net)/ captu%e "ie 96 bte"

14:(8:(8.18491( IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P

1457255642:1457255758'116) ac# 156146(966 in 6(652

14:(8:(8.690919 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P 116:2(2'116)

ac# 1 in 6(652

2 pac#et" captu%ed

1( pac#et" %eceied b !te%

0 pac#et" d%opped b #e%ne!

T$e a&o"e tcpdump command captured only * packets !rom inter!ace et$,.

Note:Mer#ecap and T-$ark: Mer#ecap is a packet dump com&inin# tool% $ic$ ill

com&ine multiple dumps into a sin#le dump !ile. Ts$ark is a poer!ul tool to capture

netork packets% $ic$ can &e used to analyze t$e netork tra!!ic. (t comes it$

ires$ark netork analyzer distri&ution.

. Display Captured Packets in A-C(( usin# tcpdump )A

T$e !olloin# tcpdump syntax prints t$e packet in A-C((.

$ tcpdump - -i eth0

tcpdump: e%bo"e output "upp%e""ed/ u"e - o% - o% u!! p%otoco! decode
http://www.thegeekstuff.com/2009/03/mergecap-and-tshark-merge-packet-dumps-and-analyze-network-traffic/http://www.thegeekstuff.com/2009/03/mergecap-and-tshark-merge-packet-dumps-and-analyze-network-traffic/


3/9


14:(4:50.91(995 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P

14572(9478:14572(9594'116) ac# 1561461262 in 6(652

..........i...9...;.=..?....

[email protected]*B.......C.

14:(4:51.42(640 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P 116:2(2'116)

ac# 1 in 6(652

........A..i...9...;.


4/9

0x00(0: 407 c976 0000 0000 0000 0000 ..........

18:52:54.87771( IP 10.0.0.0 > a!!-""tem".mca"t.net: imp Mue% ( Nmax %e"p time 1"

0x0000: 0050 569c (5a( 0000 0000 0000 0800 4600 .P


5/9

2. 3eadin# t$e packets !rom a sa"ed !ile usin# tcpdump )r

4ou can read t$e captured pcap !ile and "ie t$e packets !or analysis% as s$on

&elo.

$tcpdump -tttt -% data.pcap

2010-08-22 21:(5:26.57179( 00:50:56:9c:69:(8 'oui n#non) > %oadca"t/ ethe%tpe

n#non '0xcae)/ !enth 74:

0x0000: 0200 000a 0000 0c00 (c00 0000 ............Q...

0x0010: 0000 0000 0100 0080 (e9e 2900 0000 0000 ........>.).....

0x0020: 0000 0000 ad00 996b 0600 0050 ...........#...P

0x00(0: 569c 69(8 0000 0000 8e07 0000 .domain.innetbcp.net.50570: P

800464(96:800464448'52) ac# 20((16566 in 71

2010-08-22 21:(5:26.571800 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.50570: P

52:168'116) ac# 1 in 71

2010-08-22 21:(5:26.584865 IP a!h5.!e!!.net.""h > 11.154.12.255.netbio"-n": + RP

PSB+'1(7): T,UV ,TF+V ,GRS

. Capture packets it$ (P address usin# tcpdump )n

(n all t$e a&o"e examples% it prints packets it$ t$e D+- address% &ut not t$e ip

address. T$e !olloin# example captures t$e packets and it ill display t$e (P

address o! t$e mac$ines in"ol"ed.

$ tcpdump -n -i eth0


6/9

15:01:(5.17076( IP 10.0.19.121.52497 > 11.154.12.121.""h: P 105:157'52) ac# 18060

in 16549

15:01:(5.170776 IP 11.154.12.121.""h > 10.0.19.121.52497: P 2(988:241(6'148) ac#

157 in 11(

15:01:(5.170894 IP 11.154.12.121.""h > 10.0.19.121.52497: P 241(6:24(80'244) ac#

157 in 11(

6. Capture packets it$ proper reada&le timestamp usin#

tcpdump )tttt

$ tcpdump -n -tttt -i eth0

2010-08-22 15:10:(9.1628(0 IP 10.0.19.121.52497 > 11.154.12.121.""h: . ac# 49800

in 16(90

2010-08-22 15:10:(9.1628(( IP 10.0.19.121.52497 > 11.154.12.121.""h: . ac# 50288

in 16660

2010-08-22 15:10:(9.162867 IP 10.0.19.121.52497 > 11.154.12.121.""h: . ac# 50584

in 16586

7. 3ead packets lon#er t$an + &ytes

4ou can recei"e only t$e packets #reater t$an n num&er o! &ytes usin# a !ilter

8#reater9 t$rou#$ tcpdump command

$ tcpdump - W1024.pcap %eate% 1024


7/9

1,. 3ecei"e only t$e packets o! a speci!ic protocol type

4ou can recei"e t$e packets &ased on t$e protocol type. 4ou can speci!y one o! t$ese

protocols !ddi% tr% lan% ip% ip2% arp% rarp% decnet% tcp and udp. T$e !olloin#

example captures only arp packets !loin# t$rou#$ t$e et$, inter!ace.

$ tcpdump -i eth0 a%p

tcpdump: e%bo"e output "upp%e""ed/ u"e - o% - o% u!! p%otoco! decode


19:41:52.809642 a%p ho-ha" a!h5.!e!!.net te!! a!h9.!e!!.net

19:41:52.86(689 a%p ho-ha" 11.154.12.1 te!! a!h6.!e!!.net

19:41:5(.024769 a%p ho-ha" 11.154.12.1 te!! a!h7.!e!!.net

11. 3ead packets lesser t$an + &ytes

4ou can recei"e only t$e packets lesser t$an n num&er o! &ytes usin# a !ilter 8less9

t$rou#$ tcpdump command

$ tcpdump - !W1024.pcap !e"" 1024

1*. 3ecei"e packets !los on a particular port usin# tcpdump port

(! you ant to kno all t$e packets recei"ed &y a particular port on a mac$ine% you

can use tcpdump command as s$on &elo.

$ tcpdump -i eth0 po%t 22

19:44:44.9(4459 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P

189(2:19096'164) ac# 105 in 71


8/9

19:44:44.9(45(( IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P

19096:19260'164) ac# 105 in 71

19:44:44.9(4612 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P

19260:19424'164) ac# 105 in 71

1. Capture packets !or particular destination (P and Port

T$e packets ill $a"e source and destination (P and port num&ers. Usin# tcpdump

e can apply !ilters on source or destination (P and port num&er. T$e !olloin#

command captures packets !los in et$,% it$ a particular destination ip and portnum&er **.

$ tcpdump - xpac#et".pcap -i eth0 d"t 10.181.140.216 and po%t 22

1/. Capture TCP communication packets &eteen to $osts

(! to di!!erent process !rom to di!!erent mac$ines are communicatin# t$rou#$ tcpprotocol% e can capture t$ose packets usin# tcpdump as s$on &elo.

$tcpdump - comm.pcap -i eth0 d"t 16.181.170.246 and po%t 22

4ou can open t$e !ile comm.pcap usin# any netork protocol analyzer tool to de&u#

any potential issues.

15. tcpdump ;ilter Packets < Capture all t$e packets ot$er t$anarp and rarp

(n tcpdump command% you can #i"e =and>% =or> and =not> condition to !ilter t$e

packets accordin#ly.

$ tcpdump -i eth0 not a%p and not %a%p


9/9

20:((:15.479278 IP %e"o!e%.!e!!.net.domain > a!h4.!e!!.net.646(9: 26929 1&0&0 '7()

20:((:15.479890 IP a!h4.!e!!.net.1605( > %e"o!e%.!e!!.net.domain: 56556* P+,

255.107.154.15.in-add%.a%pa. '45)

20:((:15.480197 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P 540:1504'964)

ac# 1 in 96

20:((:15.487118 IP .domain.innetbcp.net.6(897 > a!h4.!e!!.net.""h: . ac# 540 in

16486

20:((:15.668599 IP 10.0.0.0 > a!!-""tem".mca"t.net: imp Mue% ( Nmax %e"p time 1"

Documents

Packet Analyzer