TCPDump – Traffic Capture & Analysis

Description of the tool:

TCPdump is a command line tool which can be used to print out a description and the content of the packets that can be found within a network and traffic that is managed by a network interface that matches a boolean expression. The tool can be also run with different flags that can change the main performance of the tool.

Without previous configuration, TCPdump will run with the -c flag as default and will capture all the packets until is interrupted by a stopping signal.

Installation:

The tool can be installed from the terminal applying the following command:

apt-get install tcpdump

Using TCPdump:

As the tool is installed we can use the different command to capture the traffic that goes through an interface, first, we can use the following command to visualize the different flags available for the tool:

Now we can use the tool to select an interface and see the traffic that is going through that specific  using the following the command we can explore the packets that come into that specific interface but first, we must know the name of the interface, in order to do that we apply the following command to know the name of our interface:

Now we know the name of our interface we can use TCPdump to capture the different packets that are handled by that interface, we can achieve this by using the following command:

sudo tcpdump -i enp0s3

as it can be seen in the picture above the traffic coming for that interface can be visualized using the -i flag along with tcpdump, we can also select the source of the packets applying the following command:

sudo tcpdump -i enp0s3 src 192.168.0.117

Note: The IP address serves as a local demonstration but you can select any IP connected in your network.

We can lock and specify the type of traffic that we want to analyze as it can be seen in the picture above.

We can also use tcpdump to capture the packets for one entire segment of the network selecting destination IP addresses and other sources to capture the packets, these methods can be used by typing the following command:

sudo tcpdump -i enp0s3 -v dst 192.168.0.107 and src 192.168.0.1

Note: This command example is performed within local parameters so the IP addresses may change: 

Conclusion:

TCPdump represents one helpful tool to capture traffic for over specific interfaces, it can be used along with Wireshark to explore the different packets that are sent within the network.

This post was written by Jose Calderon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.