This utility is a useful tool for capturing and collecting packets arriving at and departing from a server.

Installation of TCPDump

For Ubuntu/Debian

sudo apt install tcpdump

For Red Hat/CentOS

sudo yum install tcpdump

Command Arguments

-c: Terminates packet collection after reaching a set count.
-C: Sets the maximum dump file size; a new file is created when the limit is reached.
-e: Displays connection-level information for each processed packet.
-F: Reads packets from a specified file rather than an interface.
-f: Displays the domain name for each IP address.
-G: Creates a new dump file after a specified time interval.
-H: Sets a restriction where TCPDump processes only 802.11s headers.
-i: Specifies the interface from which packets will be collected. To use all server interfaces, specify any.
-I: Enables monitoring mode for the specified interface (for detecting all passing packets).
-E: Used for decrypting IPSEC traffic (requires a decryption key).
-K: Disables packet checksum verification.
-L: Displays supported connection protocols for the specified interface.
-n: Skips domain names in the dump.
-nn: Displays addresses along with their ports.
-q: Minimizes the output information about packets.
-tttt: Displays timestamps for each packet in the standard format.
-v, -vv, -vvv: Provides more detailed packet information.
-Z: Specifies the system user under whose name the dump file will be created.
-w: Specifies the file name where the dump will be saved (by default, without this argument, the dump is displayed in real-time without saving to a file).

Usage

To avoid cluttering the dump with unnecessary packets, select a specific interface from which you want to gather information rather than all of them. You can view a list of all interfaces with the following command:

tcpdump -D

On our virtual servers (VDS), the primary network interface is ens3. To display logs for our network interface in real-time, use the following command:

tcpdump -i ens3

Keep in mind that TCPDump requires superuser privileges, so these commands should be executed as the root user or with the sudo command.

After running the command, you will see many scrolling lines of output. To stop the dump, use the Ctrl + C key combination.

The collected data packets have a structure similar to this:

22:31:56.330185 IP fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], seq 7841:7905, ack 10730080, win 6145, length 64


However, the internals of the packet may differ when different protocols are used.

Let's try to see more detailed information about the packets using the -v argument:

tcpdump -i ens3 -v

Now our packets have a more extensive structure, such as:

22:36:42.254306 IP (tos 0x0, ttl 122, id 61139, offset 0, flags [DF], proto TCP (6), length 104) fsn.spacecore.network.65383 > fsn.spacecore.network.ssh: Flags [P.], cksum 0x2699 (correct), seq 321:385, ack 1027616, win 6141, length 64


In this case, more detailed information about the IP address(-es) protocol is visible:

P (tos 0x0, ttl 122, id 61139, offset 0, flags [DF], proto TCP (6)

Filter Arguments

Equally powerful are additional arguments that allow filtering different packet types based on various parameters:

host: Hostname.
ip: IP address.
port: Port.
proto: Protocol.
net: Address of a specific network or subnet.
src: Source.
dst: Destination.


Available protocols include: tcp, udp, icmp, arp, rarp, decnet, etc. These arguments can also be combined with each other.

For example, you can view all packets sent from your server to the target address:

tcpdump dst 192.168.1.1

Or vice versa, all packets sent to your server from the source subnet (you can also use a specific IP address, as shown above):

tcpdump src net 192.168.1.1/24

To search for packets of a specific size, you can use arguments like:

tcpdump less 48  // packets less than 48 bits
tcpdump greater 128  // packets greater than 128 bits

Suppose you have several Garry's Mod servers on different ports, and you want to check if a DDoS attack is currently underway. In that case, you can use the command:

tcpdump -nnv udp src portrange 27015-27025 -w garrysmod.dump

Pay attention to the specified port range. Thanks to the -w argument, the dump will be collected in the garrysmod.dump file.

Advanced Operators

In addition to everything mentioned above, TCPDump provides operators for creating various combinations of arguments:

AND or && (logical "AND" operator)
OR or || (logical "OR" operator)
EXCEPT or ! (logical "NOT" operator)


For example, if we want to display all MySQL query traffic sent by 192.168.1.1 to port 3306 (to any address):

tcpdump -nnv src 192.168.1.1 and tcp dst port 3306

To read packets on Windows, you can use the WireShark program.