The tcpdump command is present by default on most Unix-based systems.
It is useful in debugging networks and services.
Tcpdump is a common packet analyzer that runs under the command line.
It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
However, its potential for abuse, especially in the era of remote administration via telnet, gave tcpdump a bad reputation.
WinDump is the tcpdump command’s counterpart for Windows systems.
Tcpdump is primarily a sniffer as opposed to a protocol analyzer.
Its filters enable you to extract any combination of network packets, but it doesn’t parse higher- level protocols like HTTP, SNMP, or DNS into more human-readable formats or annotate the traffic.
For example, a protocol analyzer would know how to interpret the specific flags, options, and steps for an SSL connection handshake.
The sniffer just shows the raw packets.
Tcpdump and WinDump both use the packet capture (pcap) library, a set of packet capture routines written by the Lawrence Berkeley National Laboratory.
The pcap routines provide the interface and functionality for OS-level packet filtering and disassembling IP packets into raw data.
Because WinDump is simply a Windows port of tcpdump, the two commands are mostly interchangeable.
The only difference is the name of the network interface to specify for capturing traffic.
The tools require privileged user access to capture data.
Make sure to execute them with sudo or “Run As Administrator” as appropriate.
Another reason tcpdump and WinDump require privileged access is because they put the network interface into promiscuous mode in order to see all traffic across the device.
Some network devices such as Ethernet hubs broadcast a packet to all ports on the hub (all hosts connected to the hub) in expectation that only the intended recipient will accept it.
The other hosts receive the packet as well, but they ignore it because the packet is not intended for their MAC address.
Tcpdump filters control what kinds of traffic the command captures.
Filter expressions are defined with the Berkeley Packet Filter (BPF) syntax.
Multiple filters may be combined with Boolean operators such as AND, OR, and NOT.
The typical format of an expression is a label (representing a packet characteristic) followed by a value:
$ tcpdump packet_characteristic value - Type Qualifiers is a packet characteristic. - The most typical packet qualifiers are the type labels: host, net, and port. - For example, the following command tells tcpdump we want to see only packets to or from 192.168.1.100: $ tcpdump host 192.168.1.100
If all we care about is web traffic, we can narrow the filter to the default port for HTTP:
$ tcpdump host 192.168.1.100 and port 80 - The net qualifier captures traffic destined for or originating from any host that matches the filter: $ tcpdump net 192.168.1.0/24 and port 80
Remember that the net qualifier only exposes traffic visible to the sniffer’s network interface.
Specifying a network doesn’t automatically make its traffic visible—only network proximity of the sniffer does.
Common uses of Tcpdump are as follows:
Tcpdump prints the contents of network packets.
It can read packets from a network interface card or from a previously created saved packet file.
It can write packets to standard output or a file.
It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer.