This post is a work in progress.

tcpdump is a command-line tool that can capture network traffic and print it out.
It's available on most Unix-based operating system.
On Windows, you can use windump.

You can apply filters to narrow down the amount of data you capture, and save captured packets to a .pcap file for offline analysis.

Since tcpdump is a command-line tool, you can use it in scripts for automation, or in remote systems that don't have a graphical interface.

Wireshark is a similar tool with a graphical interface.

Capturing Network Traffic #

Let's start with the basics: capturing packets on a network interface.

Listing Available Network Interfaces #

First, we need to know which interfaces are available.

tcpdump -D

Here, lo refers to localhost the loopback interface, which is used for local traffic on your own machine.
To capture packets on the loopback interface:

sudo tcpdump -i lo

Applying Capture Filters #

One of the most powerful features of tcpdump is its ability to apply filters to the network traffic you’re capturing. Instead of

Grabbing everything on the network is not ideal,

you can specify exactly what you’re interested in.

Saving and Reading Captures #

Sometimes you don’t want to analyze packets in real-time. To save them to a file for later analysis, use the -w flag to write packets to a .pcap file

sudo tcpdump -n -i <interface> -w capture.pcap

We can then read the saved file later using the -r flag.

tcpdump -r capture.pcap