tcpdump Examples – 55 Commands for Network Packet Analysis
文章介绍了tcpdump的强大功能及其在实时网络流量捕获与分析中的应用。通过55个实例展示了基本语法、高级过滤技巧及文件操作等实用功能,并强调其在网络安全、故障排除和网络行为分析中的重要性。 2025-6-25 13:40:11 Author: www.blackmoreops.com(查看原文) 阅读量:10 收藏

tcpdump examples showcase the power of command-line packet analysis for network professionals. This comprehensive guide demonstrates 55 practical commands for capturing and analysing network traffic, from basic packet capture to advanced filtering techniques used by hackers, cybersecurity professionals and network administrators alike.

55 tcpdump example Linux Commands for Packet Capture and analysis

55 tcpdump example Linux Commands for Packet Capture and analysis

Understanding tcpdump Fundamentals

tcpdump serves as the premier command-line packet analyser for Unix-like systems. Network administrators and security professionals rely on these tcpdump examples to capture and inspect network traffic in real-time. Whether you’re troubleshooting connectivity issues, monitoring security threats, or analysing application behaviour, mastering tcpdump examples proves invaluable for technical roles.

The beauty of tcpdump lies in its combination of power and simplicity. Unlike graphical tools like nmap, tcpdump operates entirely from the command line, making it perfect for remote administration and automated monitoring scripts. This lightweight approach allows you to analyse network traffic on systems with minimal resources.

Basic Syntax and Structure

Every tcpdump command follows a consistent pattern that makes learning the tool straightforward:

tcpdump [options] [expression]

The options modify tcpdump’s behaviour, such as specifying which network interface to monitor or determining the output format. Expressions define what type of traffic to capture, allowing you to specify hostnames, IP addresses, ports, protocols, and other filtering criteria.

Before diving into specific examples, understanding how to identify available network interfaces helps ensure you’re monitoring the correct traffic:

tcpdump -D

This command lists all available network interfaces on your system, displaying both their names and descriptions.

Essential Traffic Capture Techniques

Capturing Traffic on Specific Interfaces

To monitor all traffic on a particular interface, use the -i flag followed by the interface name:

tcpdump -i eth0

For wireless interfaces, simply substitute the appropriate interface name:

tcpdump -i wlan0

Host-Based Traffic Filtering

Capturing traffic to or from specific hosts forms the foundation of targeted network analysis. Use the host keyword to monitor all traffic associated with a particular IP address or hostname:

tcpdump host 192.168.1.100

This captures both incoming and outgoing traffic for the specified host. For domain names, tcpdump automatically resolves them to IP addresses:

tcpdump host example.com

Port-Specific Traffic Monitoring

Network services operate on specific ports, making port-based filtering essential for application troubleshooting. Monitor traffic on any port using:

tcpdump port 80

Common ports you’ll frequently monitor include:

  • Port 80 (HTTP)
  • Port 443 (HTTPS)
  • Port 22 (SSH)
  • Port 21 (FTP)
  • Port 25 (SMTP)
  • Port 53 (DNS)

Advanced Filtering Capabilities

Combining Multiple Filters

tcpdump examples become more powerful when combining filters using logical operators. The and, or, and not operators enable precise traffic isolation:

tcpdump host 192.168.1.100 and port 80

For more complex scenarios, use parentheses to group conditions:

tcpdump src host 192.168.1.100 and \( port 80 or port 443 \)

Protocol-Based Filtering

Filter traffic by protocol to focus on specific types of network communication:

tcpdump tcp
tcpdump udp
tcpdump icmp

Directional Traffic Analysis

Understanding traffic flow direction helps identify communication patterns. Use src and dst keywords to filter by source or destination:

tcpdump src host 192.168.1.100
tcpdump dst port 443

Network Range Filtering

Monitor entire network segments using CIDR notation:

tcpdump net 192.168.1.0/24

This captures all traffic within the specified network range, useful for monitoring subnet-wide activity.

File Operations and Output Management

Saving Captured Traffic

Preserve network captures for later analysis using the -w flag:

tcpdump -w capture.pcap -i eth0

Saved capture files can be analysed later using tcpdump or imported into graphical tools like Wireshark for detailed inspection.

Reading Saved Captures

Analyse previously captured traffic using the -r flag:

tcpdump -r capture.pcap

Controlling Output Verbosity

Adjust the level of detail in tcpdump output using verbosity flags:

  • -v: Verbose output
  • -vv: More verbose output
  • -vvv: Maximum verbosity
tcpdump -vv -i eth0

55 Practical tcpdump Examples

Here are 55 essential tcpdump examples for various network analysis scenarios:

Basic Interface Monitoring

  1. tcpdump -i eth0 – Capture all traffic on eth0
  2. tcpdump -i wlan0 – Capture all traffic on wlan0
  3. tcpdump -i any – Capture traffic on all interfaces

Host-Based Filtering

  1. tcpdump host 192.168.1.100 – Traffic to/from specific IP
  2. tcpdump host example.com – Traffic to/from domain name
  3. tcpdump not host 192.168.1.100 – Exclude specific host

Port-Based Filtering

  1. tcpdump port 80 – HTTP traffic
  2. tcpdump port 443 – HTTPS traffic
  3. tcpdump port 22 – SSH traffic
  4. tcpdump port 21 – FTP traffic
  5. tcpdump port 25 – SMTP traffic
  6. tcpdump port 53 – DNS traffic
  7. tcpdump portrange 80-443 – Traffic in port range

Directional Filtering

  1. tcpdump src host 192.168.1.100 – Traffic from specific host
  2. tcpdump dst host 192.168.1.100 – Traffic to specific host
  3. tcpdump src port 80 – Traffic from port 80
  4. tcpdump dst port 443 – Traffic to port 443
  5. tcpdump src portrange 1024-5000 – Traffic from port range

Protocol Filtering

  1. tcpdump tcp – All TCP traffic
  2. tcpdump udp – All UDP traffic
  3. tcpdump icmp – All ICMP traffic
  4. tcpdump arp – All ARP traffic

Network Range Filtering

  1. tcpdump net 192.168.1.0/24 – Traffic within network
  2. tcpdump src net 192.168.1.0/24 – Traffic from network
  3. tcpdump dst net 192.168.1.0/24 – Traffic to network
  4. tcpdump not net 192.168.1.0/24 – Traffic outside network

Combined Filters

  1. tcpdump dst host 192.168.1.100 and dst port 80 – Specific host and port
  2. tcpdump src host 192.168.1.100 and src port 443 – Source host and port
  3. tcpdump host 192.168.1.100 and \( port 80 or port 443 \) – Host with multiple ports
  4. tcpdump tcp and src net 192.168.1.0/24 and dst port 22 – Complex combination

Exclusion Filters

  1. tcpdump not icmp – All traffic except ICMP
  2. tcpdump not port 80 – All traffic except port 80
  3. tcpdump not src host 192.168.1.100 – Exclude source host

TCP Flag Filtering

  1. tcpdump 'tcp[tcpflags] & tcp-syn != 0' – SYN packets
  2. tcpdump 'tcp[tcpflags] & tcp-ack != 0' – ACK packets
  3. tcpdump 'tcp[tcpflags] & tcp-rst != 0' – RST packets
  4. tcpdump 'tcp[tcpflags] & tcp-fin != 0' – FIN packets
  5. tcpdump 'tcp[tcpflags] & tcp-urg != 0' – URG packets
  6. tcpdump 'tcp[tcpflags] & tcp-push != 0' – PSH packets
  7. tcpdump 'tcp[tcpflags] = 0x01' – Only SYN flag
  8. tcpdump 'tcp[tcpflags] = 0x00' – No flags set
  9. tcpdump 'tcp[tcpflags] = 0x12' – SYN-ACK packets
  10. tcpdump 'tcp[tcpflags] = 0x14' – RST-ACK packets
  11. tcpdump 'tcp[tcpflags] = 0x11' – FIN-ACK packets
  12. tcpdump 'tcp[tcpflags] = 0x18' – PSH-ACK packets

Advanced IP Filtering

  1. tcpdump 'ip[6:2] & 0x1fff != 0' – Fragmented packets
  2. tcpdump 'ip[8] = 128' – Specific TTL value
  3. tcpdump 'ip[1] & 0xfc >> 2 = 46' – DSCP value
  4. tcpdump 'ip[1] & 0x03 = 3' – ECN bits
  5. tcpdump 'ip[9] = 6' – TCP protocol packets

TCP Sequence Analysis

  1. tcpdump 'tcp[4:4] = 12345678' – Specific sequence number
  2. tcpdump 'tcp[8:4] = 87654321' – Specific acknowledgment number

Port Range Filtering

  1. tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536' – Source port range
  2. tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536' – Destination port range

Additional Examples

  1. tcpdump -n host 192.168.1.100 – Disable name resolution
  2. tcpdump -s 0 -i eth0 – Capture full packet length
  3. tcpdump -c 100 -i eth0 – Capture only 100 packets
  4. tcpdump -A -i eth0 – Display packet contents in ASCII
  5. tcpdump -X -i eth0 – Display packet contents in hex and ASCII
  6. tcpdump -e -i eth0 – Show link-level header information

Optimising Network Analysis Workflow

tcpdump examples work best when incorporated into a systematic workflow. Consider these best practices:

Performance Considerations: When capturing high-volume traffic, write directly to disk using the -w flag rather than displaying packets in real-time. This prevents packet loss during intensive capture sessions.

Security Analysis: Combine tcpdump with other tools for comprehensive security monitoring. Export captures to Wireshark for detailed protocol analysis or integrate with intrusion detection systems for automated threat detection.

Troubleshooting Methodology: Start with broad filters and progressively narrow your focus. Begin by capturing all traffic on an interface, then filter by host, port, or protocol as you identify patterns.

Documentation: Always document your capture filters and analysis findings. Include timestamps, filter expressions, and observed behaviours for future reference.

Advanced Techniques for Network Professionals

Berkeley Packet Filter Syntax

Master tcpdump commands at an advanced level by understanding Berkeley Packet Filter (BPF) syntax. This enables precise packet matching based on any field within the protocol headers:

tcpdump 'tcp[20:2] = 0x4745' -A

This example captures HTTP GET requests by matching the ASCII values at specific TCP payload offsets.

Performance Tuning

Optimise capture performance for high-speed networks:

  • Use -B to increase buffer size
  • Apply filters at capture time to reduce processing overhead
  • Consider using -n to disable DNS lookups during capture

Integration with Analysis Tools

Export tcpdump data for advanced analysis:

  • Convert to various formats using editcap
  • Stream to analysis tools using pipes
  • Integrate with log management systems for correlation

Conclusion

Mastering tcpdump examples empowers network professionals to diagnose issues quickly, monitor security threats effectively, and understand network behaviour comprehensively. These 55 practical tcpdump examples provide a solid foundation for network packet analysis, from basic traffic capture to advanced filtering techniques.

Regular practice with tcpdump enhances your ability to troubleshoot complex network issues and identify security anomalies. As networks grow increasingly complex, proficiency with command-line packet analysis tools becomes ever more valuable for maintaining robust and secure network infrastructure.

Remember that tcpdump represents just one tool in the network analyst’s toolkit. Combine it with other monitoring and analysis tools just nmap to build a comprehensive understanding of your network environment. Continue exploring advanced filtering techniques and protocol analysis to expand your network troubleshooting capabilities.


文章来源: https://www.blackmoreops.com/tcpdump-examples-network-packet-analysis/
如有侵权请联系:admin#unsafe.sh