This utility is a useful tool for interception and collection of packets coming to and from the server.

TCPDump installation

For Ubuntu/Debian:

apt install tcpdump

For Red Hat / CentOS:

sudo yum install tcpdump

Argument for the command

Using

In order not to clog our dump with extra packages, you should choose a specific interface from which we want to collect information, not all. You can view a list of all interfaces by using this command:

tcpdump -D

To display the logs of our network interface in real time, use the command:

tcpdump -i ens3

Don’t forget that TCPDump requires root rights, so you should run these commands as root or by using sudo.

After using the command we will see many running lines, to stop the dump use the key combination Ctrl + C

Try to see more information about packages using the argument -v

tcpdump -i ens3 -v

Filtering argument

An equally powerful feature is the additional argument that allows us to filter out different types of packages according to the following parameters:

For example, we can view all packets that go from our server to the final address:

tcpdump dst 192.168.1.1

Conversely, all packets that are sent to our server from the source subnet (you can also use a specific IP address, as in the example above):

tcpdump src net 192.168.1.1/24

You can use arguments to find packages of the required size

tcpdump less 48 // пакеты меньше 48 бит
tcpdump greater 128 // пакеты больше 128 бит

Let’s say you have several Garry’s Mod servers on different ports and you want to check if they are currently running a DDoS attack. For this we will fit a team:

tcpdump -nnv udp src portrange 27015-27025 -w garrysmod.dump

Note the specified port range.

The -w dump will be compiled into the garrysmod.dump file

Extended operators

In addition, TCPDump has operators for creating different combinations of arguments.

Suppose we want to print out all the traffic of MySQL queries, which sends 192.168.1.1 to port 3306 (to any addresses).

tcpdump -nnv src 192.168.1.1 and tcp dst port 3306

Completion

Thanks for reading it! We have familiarized ourselves in detail with TCPDump, which is a very useful tool that is an integral part of the work of network engineers, as well as necessarily useful for ordinary users.

You can use the program to read packages on Windows WireShark.

Last updated