Leadership

Video: Analyze network traffic with tcpdump

Tcpdump may not have a slick frontend like other packet analyzers such as Wireshark and Ettercap, but this command line tool makes up for its lack of fancy graphics with power and flexibility. In this IT Dojo video, Bill Detwiler shows you why tcpdump is a great tool for network debugging and security monitoring.

Tcpdump may not have a slick front end like other packet analyzers such as Wireshark and Ettercap, but this command line tool makes up for its lack of fancy graphics with power and flexibility. Tcpdump is an old mainstay for network admins and security pros who swear by its usefulness.

Unlike other traffic analysis tools such as Ettercap and Wireshark, both of which provide packet sniffing functionality with a convenient captive interface, tcpdump takes a command at the shell, with options specified at that time, and then dumps the results to standard output. This may seem primitive to some users, but it provides power and flexibility that isn't available with the common captive interface alternatives.

In this IT Dojo video, I'll show you why tcpdump is a great tool for network debugging and security monitoring.

After watching the video, you can learn more about tcpdump by reading Chad Perrin's article, "Use tcpdump for traffic analysis"--the basis for this video.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

19 comments
moneyhan
moneyhan

FOO-BAR, been there , done that!

shawnmac_74
shawnmac_74

I downloaded the sourceforge project but the readme says the compiler will build windump.exe. Is this the win32 equivalent of tcpdump?

alan
alan

Needs an edit When Video has 4 minutes 30 Seconds to go it shows Command line switches entitled TPCDUMP, instead of TCPDUMP.

greaterheights2003
greaterheights2003

I found it refreshing since I use it alot in Linux. Typing 'man tcpdump' in a terminal shows a bunch of options/switches to use.

fsveen
fsveen

Hi Bill, This is definitely useful, since command line tools have the advantage that they can e.g. be scripted. Thank you! However, purely in terms of network traffic analysis I am not seeing anything that e.g. Wireshark cannot do based on watching your video. Can you give an example of something that is unique for tcpdump, or that it just does a lot better? I use Wireshark almost on a daily basis and find it extremely useful. In particular, the way it helps you define filters is very nice.

Bill Detwiler
Bill Detwiler

Tcpdump may not have a slick front end like other packet analyzers such as Wireshark and Ettercap, but this command line tool makes up for its lack of fancy graphics with power and flexibility. In an IT Dojo video, I explore ways to monitor and debug your network with tcpdump. Original post: http://blogs.techrepublic.com.com/itdojo/?p=178 Despite tcpdump's usefulness, not everyone is prepared to abandon a GUI interface. In the discussion thread on Chad Perrin's tcpdump article (linked to from the above blog post), many TechRepublic members vigorously promoted the use of a network analysis tool with a GUI, such as Wireshark and Ettercap. Some suggested using tcpdump in conjunction with a GUI-based tool. What do you think? Does a network traffic analyzer or packet sniffer need a GUI? Is working through the GUI more efficient?

raykaville
raykaville

The project specs say "Operating System : All POSIX (Linux/BSD/UNIX-like OSes)" and the "Programming Language: C" line hints that if you are using an OS that isn't unix like and if you don't happen to have a C compiler, you just wasted a lot of time. There is a Win32 sub folder when you extract the files which indicates you might be able to compile an MS based application, but you still need a compiler. Would have been appropriate for the article or video to point this out early on. Anyone knowing of a windows version all compiled up, I would appreciate a pointer.

Bill Detwiler
Bill Detwiler

Thanks for pointing out the typo in the list of tcpdump command line switches. Indeed, the list's title read "tpcdump command line switches" and now reads "tcpdump command line switches". Neither my video editor nor myself caught the transposed letter. Good eyes!

lmartinhall
lmartinhall

If you have to capture packets for a longer period of time, TCPDump is better. There is a known issue that Wireshark leaks memory. You don't have that problem with TCPDump.

geekydewd
geekydewd

We have a world-wide system that uses legacy high-latency, low speed communications links to some out-of-the-way locations. To test and debug comm problems, we span ports of interest on the remote routers or switches to a port on another switch. We connect that port to eth1 on a *nix box and eth0 to another port. we ssh to eth0, start tcpdump in promiscuous mode on eth1, then run our test. At the end of the test, ctrl-c in the ssh session to stop tcpdump, gzip the output, and ftp it back to one of our main data centers for analysis. Once we have it "home", we use wireshark to analyze it. But, the beauty of tcpdump is you can run it remotely on just about any box and save the captured packets for later analysis.

karl.mccarthy
karl.mccarthy

As a Firewall engineer in my previous role I found tcpdump an invaluable tool for trouble shooting. Leave it listening on a particular interface for packets coming through a particular port and then test away. In answer to the uniqueness of it, most FWs I've worked with would be hardware based, so no option for using a GUI, plus you can write more complex switches to get the exact packets you're looking for.

oparker
oparker

I use Tcpdump everyday. To me it's peerless for traffic capture and live viewing/analysis. However, if I have to analyze a large capture file after the fact, I can't imagine not having wireshark to filter through it any number of ways and to check streams, etc. I know tcpdump can be used to read files, but I have never ever learned how as I have always used wireshark/ethereal for that. I can't imagine how anyone could say that tcpdump is better than WS for after the fact analysis of a general packet capture file when trying to find an unknown problem. But I do have an open mind :)

flhtc
flhtc

NO GUI!!! Please :) My admin PC is on the same switch as the firewall, email filter, and web filter. Those ports are mirrored to my PC. Via expect scripts I can turn on or off monitoring to one, all, or a combination thereof in seconds. I've saved my most used queries to files where they can be quickly called upon to diagnose almost any problem. No matter where or when, that is as long as you have an Internet connection and VPN or modem and a back door computer. You can log in and start to diagnose in minutes. Jiminy Cricket you can do it over a serial line if necessary! Yes, most of this can be done with a GUI as well. With that being said, you can also load a tcpdump file into WireShark if you need to dissect it later. For me, a computer, small hub, and a couple of network cables, and tcpdump, nothing can hide! Bottom line, this is one of the most valuable tools in any network admins arsenal!

thugdrummer
thugdrummer

There's also a version available for Windows (Windump) that runs at a command prompt. Uses all the same options and primitives as tcpdump with the same output formatting. I don't recall where I downloaded it, but a Google search will find it for you.

Dark_Knight
Dark_Knight

Are your other severs called: TAR and SNA? BTW: Good information. I can see this being used on som of my systems that are remote and have limited graphics. Wireshark sometimes has issues when ran on a system that is being remoted.

paul.ob.tech
paul.ob.tech

I'll be downloading a copy. Sometimes I do need a printout with the nice graphics to explain what is happening to others, quickly, and that is where Wireshark comes in handu also.

Editor's Picks