Ethical Hacking #tcpdump#network-analysis#packet-capture

tcpdump Network Monitoring Tutorial

Master tcpdump for network traffic analysis, packet capture, and protocol investigation in security assessments.

8 min read

Introduction to tcpdump

tcpdump is the command-line packet analyzer that provides low-level network visibility. This fundamental tool captures and displays network packets in real-time or from saved files, enabling network professionals to troubleshoot connectivity issues, analyze protocol behavior, and investigate security incidents. tcpdump operates at the kernel level, making it incredibly fast and capable of handling high-traffic environments.

In penetration testing, tcpdump reveals unencrypted credentials, identifies network-based attacks, and validates exploitation success. Understanding tcpdump enables you to monitor network activity during security assessments and capture evidence of vulnerability exploitation.

Installation and Basic Setup

tcpdump comes pre-installed on most Linux distributions. Verify availability:

which tcpdump
tcpdump --version

If not installed, use your package manager:

# Ubuntu/Debian
sudo apt-get install tcpdump

# CentOS/RHEL
sudo yum install tcpdump

# macOS
brew install tcpdump

Running tcpdump with Privileges

tcpdump requires root privileges to access network interfaces:

# Run with sudo
sudo tcpdump

# Or grant capabilities to tcpdump binary
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Basic Packet Capture

Capturing All Traffic

sudo tcpdump

This captures all packets on the default interface. Output streams continuously until interrupted (Ctrl+C).

Capturing from Specific Interface

# List available interfaces
tcpdump -D

# Capture from specific interface
sudo tcpdump -i eth0

Common interface names:

  • eth0, eth1: Ethernet interfaces
  • wlan0, wlan1: Wireless interfaces
  • lo: Loopback interface
  • docker0: Docker interface

Limiting Captured Packets

# Capture exactly 100 packets
sudo tcpdump -i eth0 -c 100

# Capture for 10 seconds
sudo timeout 10 tcpdump -i eth0

Output Formatting and Verbosity

Verbose Output

# Standard output
sudo tcpdump -i eth0

# Verbose output (more detail)
sudo tcpdump -i eth0 -v

# Very verbose (maximum detail)
sudo tcpdump -i eth0 -vv

# Triple verbose (even more headers and data)
sudo tcpdump -i eth0 -vvv

Displaying Data in Different Formats

# ASCII representation
sudo tcpdump -i eth0 -A

# Hexadecimal and ASCII
sudo tcpdump -i eth0 -X

# Hexadecimal only
sudo tcpdump -i eth0 -x

Absolute Timestamps

# Show microseconds precision
sudo tcpdump -i eth0 -ttt

# Show microseconds with date
sudo tcpdump -i eth0 -tttt

Filtering Traffic with BPF (Berkeley Packet Filter)

tcpdump’s power comes from filtering specific traffic using Berkeley Packet Filter syntax.

Protocol Filtering

# Capture only TCP traffic
sudo tcpdump -i eth0 tcp

# Capture only UDP traffic
sudo tcpdump -i eth0 udp

# Capture only ICMP (ping)
sudo tcpdump -i eth0 icmp

# Capture only DNS (port 53)
sudo tcpdump -i eth0 port 53

Host-Based Filtering

# Traffic to or from specific host
sudo tcpdump -i eth0 host 192.168.1.100

# Traffic from specific source
sudo tcpdump -i eth0 src 192.168.1.100

# Traffic to specific destination
sudo tcpdump -i eth0 dst 192.168.1.100

# Traffic between two hosts
sudo tcpdump -i eth0 host 192.168.1.100 and host 192.168.1.200

Port-Based Filtering

# Capture traffic on specific port
sudo tcpdump -i eth0 port 80

# Capture source or destination port
sudo tcpdump -i eth0 src port 22

# Capture range of ports
sudo tcpdump -i eth0 portrange 8000-8100

# Exclude specific port
sudo tcpdump -i eth0 "not port 22"

Complex Filters

Combining Multiple Conditions

# HTTP traffic to/from specific host
sudo tcpdump -i eth0 host 192.168.1.100 and tcp port 80

# DNS queries from specific source
sudo tcpdump -i eth0 src 192.168.1.100 and port 53

# Exclude SSH and DNS from capture
sudo tcpdump -i eth0 "not (port 22 or port 53)"

# Capture only outgoing traffic
sudo tcpdump -i eth0 src 192.168.1.0/24

Advanced Protocol Filters

# Capture TCP SYN packets (connection attempts)
sudo tcpdump -i eth0 "tcp[tcpflags] & tcp-syn != 0"

# Capture TCP RST packets (connection resets)
sudo tcpdump -i eth0 "tcp[tcpflags] & tcp-rst != 0"

# Capture packets with data payload
sudo tcpdump -i eth0 "ip[2:2] > 20"

Saving and Reading Capture Files

Saving to File

# Save to pcap format
sudo tcpdump -i eth0 -w capture.pcap

# Save specific packets
sudo tcpdump -i eth0 -w capture.pcap -c 1000

# Save with filters
sudo tcpdump -i eth0 -w capture.pcap port 80

Reading Saved Files

# Read entire capture
tcpdump -r capture.pcap

# Read with verbosity
tcpdump -r capture.pcap -v

# Apply filters to existing capture
tcpdump -r capture.pcap port 80

# Extract and display packet data
tcpdump -r capture.pcap -X | less

Practical Network Analysis Scenarios

Monitoring HTTP Traffic

Capture unencrypted HTTP requests:

sudo tcpdump -i eth0 -n "tcp port 80" -X | grep -E "GET|POST|HTTP"

This reveals unencrypted credentials transmitted via HTTP.

Analyzing DNS Queries

sudo tcpdump -i eth0 -n "port 53" -X

# Filter specific domain
sudo tcpdump -i eth0 -n "port 53" -X | grep "example.com"

Detecting Port Scans

# Monitor for TCP SYN packets (scanning activity)
sudo tcpdump -i eth0 "tcp[tcpflags] & tcp-syn != 0" -n

# Show only external sources
sudo tcpdump -i eth0 "src not 192.168.1.0/24 and (tcp[tcpflags] & tcp-syn != 0)"

Capturing SSL/TLS Handshakes

# Monitor HTTPS connections
sudo tcpdump -i eth0 -n "tcp port 443" -v

While encrypted data isn’t visible, handshake metadata reveals certificate information and domain names via SNI (Server Name Indication).

Monitoring FTP Credentials

# Capture FTP traffic (transmits credentials in plaintext!)
sudo tcpdump -i eth0 -n "port 21" -A

This reveals unencrypted FTP usernames and passwords.

Integration with Other Tools

Converting tcpdump Captures

# Convert to pcapng format (more modern)
tcpdump -r capture.pcap -w capture.pcapng

# Extract HTTP objects from capture
tcpdump -r capture.pcap -A | grep -oE "GET.*HTTP" | head

Piping to Wireshark

# Live capture displayed in Wireshark
sudo tcpdump -i eth0 -U -w - | wireshark -k -i -

Analyzing with Suricata/Snort

# Generate pcap for IDS analysis
sudo tcpdump -i eth0 -w ids-analysis.pcap

# Analyze with Suricata
suricata -r ids-analysis.pcap -c /etc/suricata/suricata.yaml -k none

Performance and Buffer Management

Limiting Buffer and Capture

# Increase buffer size for high-traffic environments
sudo tcpdump -i eth0 -B 32000

# Limit snapshots length (capture only first 96 bytes)
sudo tcpdump -i eth0 -s 96

# Disable buffering for real-time analysis
sudo tcpdump -i eth0 -U

Security Considerations

Privacy During Packet Capture

# Avoid capturing payload data
sudo tcpdump -i eth0 -s 0 -n "tcp port 80"

# Anonymize IP addresses
tcpdump -r capture.pcap | sed 's/[0-9]*\.[0-9]*\./XXX.XXX./g'

Ethical Use

  • Only capture traffic on networks you have authorization to monitor
  • Document what you’re capturing and why
  • Store captures securely (they may contain sensitive data)
  • Use captured data only for authorized purposes

Conclusion

tcpdump is an essential tool for network visibility and security analysis. Mastering filter syntax, capture file management, and traffic analysis enables you to effectively monitor network activity during security assessments. Whether troubleshooting connectivity issues or investigating security incidents, tcpdump provides the low-level insight necessary for comprehensive network understanding.

Practice tcpdump in your lab environment, capturing traffic from various services and analyzing network behavior. Use it alongside Wireshark for visual analysis and other security tools to build a comprehensive view of your network’s security posture.

#tools #monitoring #packet-capture #network-analysis #tcpdump

// related articles

ethical-hacking Gobuster Directory Enumeration Tutorial 8 min read ethical-hacking Nikto Web Vulnerability Scanner Tutorial 8 min read ethical-hacking Subdomain Enumeration Techniques Guide 8 min read