Mastering TCPdump: Essential Network Traffic Analysis Tool for Cybersecurity

By /

Featured Image
TCPdump is a powerful command-line tool for capturing and analyzing network traffic on Linux. This tool is essential for cybersecurity professionals and sysadmins to troubleshoot issues, inspect protocols, and detect suspicious activity.

Basic TCPdump Commands

1. Capture packets on a specific interface:

tcpdump -i eth0

2. Capture only N packets and exit:

tcpdump -c 10

3. Save captured packets to a file:

tcpdump -w capture.pcap

4. Read packets from a saved file:

tcpdump -r capture.pcap

Advanced Filtering

5. Capture only HTTP traffic:

tcpdump -i eth0 port 80

6. Filter by source/destination IP:

tcpdump src 192.168.1.1 
tcpdump dst 192.168.1.2

7. Capture DNS queries:

tcpdump -i eth0 port 53

8. Detect SYN scans (potential port scans):

tcpdump 'tcp[bash] & (tcp-syn) != 0'

Security & Forensics Use Cases

9. Find suspicious traffic (e.g., ICMP flood):

tcpdump -n icmp

10. Capture traffic excluding your own SSH session:

tcpdump not port 22

11. Monitor ARP requests (detect ARP spoofing):

tcpdump -i eth0 arp

12. Extract HTTP User-Agent strings:

tcpdump -A -s0 'port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

You Should Know:

  • View HEX & ASCII output:
    tcpdump -XX -i eth0
  • Capture VLAN-tagged traffic:
    tcpdump -i eth0 vlan
  • Monitor IPv6 traffic:
    tcpdump ip6
  • Detect TCP retransmissions (network issues):
    tcpdump 'tcp[bash] & 4 != 0'

What Undercode Say:

TCPdump remains one of the most versatile tools for real-time network analysis. Mastering its filters can help detect intrusions, troubleshoot connectivity, and analyze malware traffic. Combine it with Wireshark (tcpdump -w file.pcap) for deeper forensic analysis.

Expected Output:

For a SYN scan detection, the output may look like:

14:22:01.123456 IP 192.168.1.100.54321 > 10.0.0.1.80: Flags [bash], seq 123456, win 65535, options [mss 1460], length 0 
14:22:01.123789 IP 192.168.1.100.54322 > 10.0.0.1.443: Flags [bash], seq 654321, win 65535, options [mss 1460], length 0

Prediction:

As networks evolve with IPv6 and encrypted traffic (QUIC, TLS 1.3), TCPdump will adapt with more advanced filtering options, but its core functionality will remain critical for cybersecurity professionals.

Reference: High-res PDF books on Linux & Cybersecurity

References:

Reported By: Xmodulo Tcpdump – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: