2.5 tcpdump Basics

The most effective way to start learning about network packet formation is to study some examples. tcpdump operates by capturing packets from a network connection. The output is displayed in a standard format understandable by other network sniffing applications. Here's some captured data, as seen by tcpdump:

07:00:48.036746 ping.net > myhost.com: icmp echo request (DF)

07:00:48.036776 myhost.com > ping.net: icmp: echo reply (DF)

07:02:12.622460 log.net.3155 > syslog.com.514: udp 101

07:03:01.132414 send.net.32938 > mail.com.25 S 248631:248631(0) win 8760

tcpdump prints more (verbose) information about the sniffed traffic with the -v option, and prints its output in hexadecimal with -x. It can also write the "raw packets" to a file using -w rather than sending them to standard output or to the console. Writing the contents to a file is extremely useful when you only have command-line access to a sniffer but want to dump the capture to a file for later analysis (or analysis by another tool). tcpdump filters assist in specifying data-only traffic on a particular port, such as port 22, or by using a specific protocol such as UDP, instead of collecting all data and filling up the logs. These filters are applied directly within the kernel, so no circular copying to the user space is needed.

In some cases, tcpdump resolves the port number to a particular service. For example, port 21, in some instances, is resolved to "ftp". Check the /etc/services file for more information regarding the port number and the actual service.