Tcpdump is a powerful, command-line packet analyzer used to capture, decode, and analyze network traffic in real-time on Unix-like operating systems. It is essential for troubleshooting connectivity, monitoring network activity, and detecting security threats by filtering traffic based on IP, port, or protocol. It operates via command line, offering high efficiency for analyzing raw traffic, often as a lightweight alternative to Wireshark.
Key Uses and Functionality Packet Capture: Captures packets on a network interface (-i) and prints them to the console. Saving Output: Saves captured packets to a file (often using the .pcap extension) for later analysis using the -w flag. Filtering: Filters traffic based on protocols (TCP, UDP, ICMP), hostnames, and IP addresses (e.g., tcpdump host 192.168.1.1). Performance Optimization: Analyzes network performance by identifying bottlenecks. How to Use Tcpdump (Common Commands) Capture all traffic on a specific interface: tcpdump -i eth0. Save output to a file: tcpdump -i eth0 -w capture_file.pcap. Read a saved file: tcpdump -r capture_file.pcap. Capture a limited number of packets: tcpdump -c 100. Filter for specific IP and Port: tcpdump host 192.168.1.1 and port 80. Verbose output with absolute sequence numbers: tcpdump -vv -S. Stop Capturing: Use Ctrl+C to terminate the process. #tools packetcapture passive packetsniffing #clitool