How to use TCP Dump
TCP DUMP - Techg8

How to use TCP Dump

TCP DUMP

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

LAB SETUP Metasploit_lab

TCP DUMP switch -h

The -h switch provide a brief information about the switches we can use with the command

** Open the terminal **
** Run Command **
sudo tcpdump -h

Run man for tcpdump

The man command gives the detailed information about the tcpdump

** Open the terminal **
** Run Command **
sudo man tcpdump

List interfaces

** Open the terminal **
** Run Command **
sudo tcpdump -D

Example of tcp dump command

** Open the terminal **
** Run Command **
sudo tcpdump -i eth0 -nn -s0 -v port 80

The output of the command used to capture the traffic related to port 80, here we can see that when we browse our server default page it is showing and capture the filtered traffic via our ethernet interface eth0, so the switch we use in the command are explain as follows

SwitchDescription
-i To capture traffic on a specific interface
-nnTo disable name resolution of both host names and port names
-s0 To capture the full packet

-A switch for ASCII output

** Open the terminal **
** Run Command **
sudo tcpdump -A -s0 port 80

Filter HTTP User Agent

** Open the terminal **
** Run Command **
sudo tcpdump -nn -A -s0 -l | grep "User-Agent:"
** Open the terminal **
** Run Command **
sudo tcpdump -nn -A -s0 -l | egrep -i "User-Agent: |Host"

Filter HTTP GET and POST

** Open the terminal **
** Run Command **
sudo tcpdump -nn -A -s0 -l | egrep -i "POST /|GET /|Host"

Capture ICMP packets

** Open the terminal **
** Run Command **
sudo tcpdump -n icmp

Detect Port Scan

** Open the terminal **
** Run Command **
sudo tcpdump -nn

Capture interface

** Open the terminal **
** Run Command **
sudo tcpdump -i any

Filtering by Host

** Open the terminal **
** Run Command **
sudo tcpdump -n host 192.168.56.101

Filtering by port

** Open the terminal **
** Run Command **
sudo tcpdump -n port 80

Filtering by Port Range

** Open the terminal **
** Run Command **
sudo tcpdump -n portrange 80-500

Writing capture output to a file

** Open the terminal **
** Run Command **
sudo tcpdump -n -w nmap.pcap

The latest tips and news from the industry straight to your inbox!

Join subscription for execlusive access to our monthly newsletter with insight to the cyber security.

Leave a Reply