- How to install (and run) tcpdump on Android devices May 28, 2018 When performing the analysis of a malicious Android program directly on the device, often can be required to dump some network traffic.
- Microolap TCPDUMP for Windows ® does not require installation and could be ran from any removable device: it is compiled with Packet Sniffer SDK, so no pre-installed third-party packet capture drivers are required. Just run tcpdump.exe, and use original tcpdump command-line interface you're already familiar with.
Tcpdump is a network capture and analysis tool. It may be used to capture packets on the fly and/or save them in a file for later analysis. Tcpdump relies on libcap, therefore it can produce standard pcap analysis files which may be processed by other tools. To install tcpdump on your device: opkg install tcpdump. Capture your traffic with TCPdump.
More Linux resources
If there were one network utility that I wish had been demystified for me as a support engineer, it is the tcpdump tool. I can't count the number of times that I ran into a situation where I needed to use it for troubleshooting but didn't fully understand it or what options I needed to know. Today, I take a deep dive into the tcpdump tool—what it is used for and what you need to know. I also walk you through a mock-up of a situation I found myself in previously. Let's jump into it.
What is tcpdump?
The tcpdump tool was developed in the late 1980s and has been a network troubleshooting staple since that time. It is distributed under a BSD license and is free to download and use. It works on most *nix operating systems and has a ported version for Windows. At the most basic level, tcpdump is a packet capture tool used to troubleshoot network connectivity issues. It is probably most closely compared to Wireshark. However, it is far lighter and is command-line only (no GUI available to my knowledge).
Installation
Before we begin poking around with the command, let's take a look at installing it. It usually ships with most modern Linux OSs so you probably already have it. You can verify this by running which tcpdump. If it isn't installed, don't worry—installation is simple. Run the following command:
Basic usage
Now that we have the tool ready for use, let's look at the most basic functions. To start capturing packets across an interface, we need to see the network interfaces available for capture. To do this, we use:
Here is a sample from my Red Hat Enterprise Linux machine:
This command is extremely useful in enterprise environments where specific interfaces are used to move particular types of data. We look at this situation a bit closer in the later parts of this article. Now, let's capture some packets so that we can see the output and what information we are gathering here.
For a basic capture, use the following:
Here, we use the -i flag to indicate the interface, any, in this case that we want to listen on. Note that tcpdump continues to capture packets until an interrupt signal is given via Ctrl+C. The other option you can use is the -c flag to limit the number of packets captured. This limit is honestly one of the best ways to use the command in my opinion, because much of the time you are trying to figure out connectivity (which can be diagnosed rather quickly).
I have another quick tip for troubleshooting with tcpdump. By default, it resolves IP addresses and port numbers into names (see above). In large environments where naming schemes are a bit tricky, you can disable this resolution to get IP addresses and port numbers. From a technical troubleshooting perspective, I find this far less confusing. It also makes searching through the output of your capture a bit easier. We use the -nn flag to disable name and port resolution:
Other useful filters
To filter by IP address:
To filter by interface:
To filter by source:
To filter by destination:
To filter by protocol:
Install Tcpdump Rhel
There are a vast number of options and filters to really hone your captures down to only the most useful traffic. If you need more info, check out the man page or other online sources.
Practical application
As I stated earlier, during my time as a Support Engineer, I spent a considerable amount of time troubleshooting data replication from production to disaster recovery environments. A customer would often have a designated replication interface set up to send traffic from their production server over to a replication target server. Let's walk through what that looks like at a basic level and use tcpdump to verify traffic from our source interface to the destination.
Pre-requisite conditions
- Source server - 172.25.1.5
- Destination server - 172.25.1.4
- Replication interface - enp0s8
In theory, when we start a data replication job, we should see traffic flow from 172.25.1.5 to 172.25.1.4.
I started a quick 'replication' (ping) job in the background on the source server. Next, we run tcpdump on the source and destination servers to see if we are receiving the traffic.
From the source:
Install Tcpdump In Linux
You can see the above traffic is only a request—we are not getting a response from the target. In a real scenario, this would indicate an issue on the destination, as we can clearly see the traffic being sent over the source interface.
After I turned the destination interface back on...
Here are the traffic captures from the source and the destination after the issue was identified and resolved.
Source:
Destination:
A closer look at the output shows that the traffic is sent from the source server to the target server successfully.
Summary
We learned the what and why of tcpdump today, as well as options to know. We even took a look at a real-world use case. Obviously, there are other considerations in a live environment. Everything from interfaces being down (like in this example) to bad passwords over the wire can cause failures. Only experience teaches you these lessons, but at least now you know how to get started in identifying an issue. My next article explores filter options a bit further, how to output your captures to a file, and use grep to find the needle in your haystack. Be sure to keep an eye out for that.
For more detailed information about using tcpdump, check out this introduction to using tcpdump at the Linux command line on Opensource.com, and see see the official documentation in the Red Hat Customer Portal for a better understanding of tcpdump inside of a Red Hat Enterprise Linux environment.
Install Tcpdump On Raspberry Pi
[ Network getting out of control? Check out Network automation for everyone, a free book from Red Hat. ]