TCPdump is a network analyzer utility that can monitor and log, TCP/IP traffic passing through the network and the device from which it is executed. TCPdump is open-source and it’s freely available under the BSD license. it is a command-line interface application and it can provide information about packets in several formats depending on the arguments used.
Install TCPdump on CentOS 7 and 8
if you are using an RHEL operating system there is a good chance that TCPdump is already installed on your system, so first, run the following command (or any TCPdump command) to check if it is already installed:
if you get the following output it means that you don’t have TCPdump installed:
You can install TCPdump with the command below:
verify the installation by checking the version:
Python libpcap module is a low-level binding for libpcap C library. It is an effort to allow python programs full access to the API provided by the well known libpcap Unix C library and by its implementations provided under Win32 systems by such packet capture systems as: Npcap, WinPcap. Libpcap is a lightweight Python package, based on the. How to install tcpdump on CentOS/RHEL system: The tcpdump application may already be installed on your Linux distribution. Tcpdump requires the libpcap library, which in all likelihood is also.
Show Interfaces
Before you can monitor and capture anything you need to know how many interfaces you have and what are their names so that you can use them to filter and get the desired results, you can get a list of your systems interfaces with the following command:
You should see something like below which lists your interfaces, their status, and a brief explanation of what that interface doing:
Capture a specific interface
Using the “-i” argument you can select a specific interface to monitor and capture, for example, start capturing one of your active interfaces with the command below. (we are going to use “eth0” which is my main interface you should replace it with your interface name)
It will capture all packets that hit your interface and print them on your screen, you can stop the process with “Ctrl + c”.
You can capture the interface and write them directly to a file with:
Add a timeout to capture 20 seconds of your interfaces transactions and write them to a file:
Capture a specific number of packets
This argument will determine the number of packets that you want to capture, for example, you can get a record of 200 packets on your “eth0” interface with the following command:
Capture traffic by IP
One of the most commons filters that you can use with TCPdump is “host”, using this filter you can see packets that are going to or from a specific IP.
for example with this command you can see and capture all transactions of your loopback interface (127.0.0.1):
of course, you can combine filters and arguments and get accurate results:
Capture packets by source and destination
Using this filter you can see traffic in one direction, with “src” and “dst”, check the following example below:
Filter by Network
To capture packets going to or from a particular network or subnet use the “net” option:
Capture traffic of a specific port
Use “port” filter to capture traffic on a specific port of your device, this way you can analyze packets of a service that use a specific port of your system:
combine with “src” and “dst” filter:
Show Traffic of a specific protocol
You may want to look for one particular kind of traffic, you can use “TCP”, “UDP”, or “ICMP” and other options:
Print captured packets in ASCII
If you want to see the results in ASCII, you can use “-A” argument like the following example:
Capture and save packets in a readable file
Install Tcpdump Redhat
TCPdump has an option to save the results of a capture process to a file and then read them, start capture and write them in file with:
Open the file and read with TCPdump using: