Skip to content

Tcpdump Guide

Overview

Tcpdump is a program that allows you to monitor network traffic.

Running Tcpdump

To run tcpdump, first become root by typing sudo su - and then entering your password (the default password is malware):

$ sudo su -
[sudo] password for armc:

Don't Type the Prompt

The $ and # at the begining are prompts. Do not type them.

Once you're root, you can start tcpdump type typing tcpdump:

# tcpdump

To exit tcpdump hit Ctrl+C.

Note

This guide only lists a handful of tcpdump options and expressions. Feel free to consult the man page for a more complete reference.

Options

Tcpdump is a flexible program, and can take many different command line options. Some common options are:

  • -i <interface> The interface to listen on (In the Linux guest use interface ens33, so -i ens33)
  • -n Dont resolve host names or port numbers
  • -X Show packet contents in hex and ascii
  • -XX Show packet headers and contents in hex and ascii
  • -A Show packet contents in ascii
  • -v Show verbose output
  • -vv Show very verbose output
  • -vvv Show very, very, verbose output

Expressions

Expressions are ways you can filter the traffic that tcpdump captures. The main elements of most expressions are: type, dir, and proto.

Common options for type are:

  • host to specify traffic going to or from a given host
  • port to specify traffic going to or from a given port

Common options for dir are:

  • src to specify a source host or port
  • dst to specify a destination host or port

Common options for proto are:

  • udp for UDP traffic
  • tcp for TCP traffic
  • arp for ARP traffic
  • icmp for ICMP traffic

More Filters

For a more complete description see the pcap-filter man page.

Examples

To have tcpdump capture all traffic on interface ens33, but not resolve host names or port numbers:

# tcpdump -ni ens33

To have tcpdump capture only traffic going to or from port 53 (TCP or UDP), showing the hex and ascii contents of the packets, not resolving host names or port numbers, on interface ens33:

# tcpdump -nXi ens33 port 53

To have tcpdump capture only traffic going to or from UDP port 53, not resolving host names or port numbers, on interface ens33:

# tcpdump -ni ens33 udp and port 53

To have tcpdump capture all traffic except ARP, not resolving host names or port numbers, on interface ens33:

# tcpdump -ni ens33 not arp