In this article, we’ll explain how to troubleshoot network issues in Linux using tcpdump command.
tcpdump is a flexible, powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture. A powerful and versatile tool that includes many options and filters, tcpdump can be used in a variety of cases. Since it’s a command line tool, it is ideal to run in remote servers or devices for which a GUI is not available, to collect data that can be analyzed later. It can also be launched in the background or as a scheduled job using tools like cron.
Let get started with the installation process.
1. Install tcpdump
If tcpdump is not already installed on your system, you can install it using following command:
For CentOS or Red Hat Enterprise Linux based system:
# dnf install tcpdump -y
For Ubuntu based system:
# apt-get install tcpdump -y
2. Verify the installation
To verify the installation, use following command:
# which tcpdump
Capture packets with tcpdump
Before capturing the packets, check network interface using following commands:
# tcpdump -D
It will display all available network interfaces.
Now, let’s start capturing some packets using following commands:
# tcpdump –interface any
Tcpdump continues to capture packets until it receives an interrupt signal. You can interrupt capturing by pressing Ctrl+C. To limit the number of packets captured and stop tcpdump, use the -c (for count) option:
# tcpdump -i any -c 10
Disable name resolution
Troubleshooting network issues, it is often easier to use the IP addresses and port numbers; disable name resolution by using the option -n and port resolution with -nn:
# tcpdump -i any -c5 -nn
As above command will capture output now displays the IP addresses and port numbers.
One of tcpdump’s most powerful features is its ability to filter the captured packets using a variety of parameters, such as source and destination IP addresses, ports, protocols, etc. Let’s look at some of the most common ones.
To capture only ICMP packets, use following commands:
# tcpdump -i any -c10 icmp
Limit capture to only packets related to a specific host by using the host filter:
# tcpdump -i any -c5 -nn host 192.168.0.12
Above command will capture and display only packets to and from host 192.168.0.12.
To filter packets based on the desired service or port, use the port filter. For example, capture packets related to a web (HTTP) service by using this command:
# tcpdump -i any -c10 -nn port 80
To filter packets based on the source or destination IP Address or hostname. For example, to capture packets from host 192.168.0.12:
# tcpdump -i any -c10 -nn src 192.168.0.12
Save captures into a file
To save packets to a file instead of displaying them on screen, use the option -w (for write):
# tcpdump -i any -c10 -nn -w webserver.pcap port 80
Above command will allows to capture packets in batch mode overnight, for example, and verify the results in the morning. It also helps when there are too many packets to analyze since real-time capture can occur too fast.
More example commands
To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
# tcpdump ‘tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet’
To print the TCP packets with flags RST and ACK both set. (i.e. select only the RST and ACK flags in the flags field, and if the result is “RST and ACK both set”, match)
# tcpdump ‘tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)’
To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)
# tcpdump ‘tcp port 80 and (((ip[2:2] – ((ip&0xf)<<2)) – ((tcp&0xf0)>>2)) != 0)’
To print IP packets longer than 576 bytes sent through gateway snup:
# tcpdump ‘gateway snup and ip[2:2] > 576’
To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:
# tcpdump ‘ether & 1 = 0 and ip >= 224’
To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
# tcpdump ‘icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply’
Check man page using following command:
# man tcpdump
In this article, we have seen how to troubleshoot network issues in Linux using tcpump command.