Using the tcpdump to analyse network packets

tcpdump command is also called as packet analyzer.

tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save the packets that are captured, so that we can use it for future analysis. The saved file can be viewed by the same tcpdump command. We can also use open source software like wireshark to read the tcpdump pcap files.

In this tcpdump tutorial, let us discuss some practical examples on how to use the tcpdump command.

1. Capture packets from a particular ethernet interface using tcpdump -i

When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface.

$ tcpdump -i eth1
14:59:26.608728 IP > . ack 540 win 16554
14:59:26.610602 IP >  4278 1/0/0 (73)
14:59:26.611262 IP >  26364+ PTR? (45)

In this example, tcpdump captured all the packets flows in the interface eth1 and displays in the standard output.

Note: Editcap utility is used to select or remove specific packets from dump file and translate them into a given format.

2. Capture only N number of packets using tcpdump -c

When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.

$ tcpdump -c 2 -i eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:38:38.184913 IP > P 1457255642:1457255758(116) ack 1561463966 win 63652
14:38:38.690919 IP > P 116:232(116) ack 1 win 63652
2 packets captured
13 packets received by filter
0 packets dropped by kernel

The above tcpdump command captured only 2 packets from interface eth0.

Note: Mergecap and TShark: Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with wireshark network analyzer distribution.

3. Display Captured Packets in ASCII using tcpdump -A

The following tcpdump syntax prints the packet in ASCII.

$ tcpdump -A -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:34:50.913995 IP > P 1457239478:1457239594(116) ack 1561461262 win 63652
14:34:51.423640 IP > P 116:232(116) ack 1 win 63652

Note: Ifconfig command is used to configure network interfaces

4. Display Captured Packets in HEX and ASCII using tcpdump -XX

Some users might want to analyse the packets in hex values. tcpdump provides a way to print packets in both ASCII and HEX format.

$tcpdump -XX -i eth0
18:52:54.859697 IP > . ack 232 win 16511
        0x0000:  0050 569c 35a3 0019 bb1c 0c00 0800 4500  .PV.5.........E.
        0x0010:  0028 042a 4000 7906 c89c 10b5 aaf6 0f9a  .(.*@.y.........
        0x0020:  69c4 f999 0016 57db 6e08 c712 ea2e 5010  i.....W.n.....P.
        0x0030:  407f c976 0000 0000 0000 0000            @..v........
18:52:54.877713 IP > igmp query v3 [max resp time 1s]
        0x0000:  0050 569c 35a3 0000 0000 0000 0800 4600  .PV.5.........F.
        0x0010:  0024 0000 0000 0102 3ad3 0a00 0000 e000  .$......:.......
        0x0020:  0001 9404 0000 1101 ebfe 0000 0000 0300  ................
        0x0030:  0000 0000 0000 0000 0000 0000            ............

5. Capture the packets and write into a file using tcpdump -w

tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.

$ tcpdump -w 08232010.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
32 packets captured
32 packets received by filter
0 packets dropped by kernel

-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol

6. Reading the packets from a saved file using tcpdump -r

You can read the captured pcap file and view the packets for analysis, as shown below.

$tcpdump -tttt -r data.pcap
2010-08-22 21:35:26.571793 00:50:56:9c:69:38 (oui Unknown) > Broadcast, ethertype Unknown (0xcafe), length 74:
        0x0000:  0200 000a ffff 0000 ffff 0c00 3c00 0000  ............<...
        0x0010:  0000 0000 0100 0080 3e9e 2900 0000 0000  ........>.).....
        0x0020:  0000 0000 ffff ffff ad00 996b 0600 0050  ...........k...P
        0x0030:  569c 6938 0000 0000 8e07 0000            V.i8........
2010-08-22 21:35:26.571797 IP > P 800464396:800464448(52) ack 203316566 win 71
2010-08-22 21:35:26.571800 IP > P 52:168(116) ack 1 win 71
2010-08-22 21:35:26.584865 IP > NBT UDP PACKET(137): QUERY; REQUEST; BROADC

7. Capture packets with IP address using tcpdump -n

In all the above examples, it prints packets with the DNS address, but not the ip address. The following example captures the packets and it will display the IP address of the machines involved.

$ tcpdump -n -i eth0
15:01:35.170763 IP > P 105:157(52) ack 18060 win 16549
15:01:35.170776 IP > P 23988:24136(148) ack 157 win 113
15:01:35.170894 IP > P 24136:24380(244) ack 157 win 113

8. Capture packets with proper readable timestamp using tcpdump -tttt

$ tcpdump -n -tttt -i eth0

2010-08-22 15:10:39.162830 IP > . ack 49800 win 16390
2010-08-22 15:10:39.162833 IP > . ack 50288 win 16660
2010-08-22 15:10:39.162867 IP > . ack 50584 win 16586

9. Read packets longer than N bytes

You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command

$ tcpdump -w g_1024.pcap greater 1024

10. Receive only the packets of a specific protocol type

You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interface.

$ tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
19:41:52.809642 arp who-has tell
19:41:52.863689 arp who-has tell
19:41:53.024769 arp who-has tell

11. Read packets lesser than N bytes

You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command

$ tcpdump -w l_1024.pcap  less 1024

12. Receive packets flows on a particular port using tcpdump port

If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.

$ tcpdump -i eth0 port 22
19:44:44.934459 IP > P 18932:19096(164) ack 105 win 71
19:44:44.934533 IP > P 19096:19260(164) ack 105 win 71
19:44:44.934612 IP > P 19260:19424(164) ack 105 win 71

13. Capture packets for particular destination IP and Port

The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth0, with a particular destination ip and port number 22.

$ tcpdump -w xpackets.pcap -i eth0 dst and port 22

14. Capture TCP communication packets between two hosts

If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.

$tcpdump -w comm.pcap -i eth0 dst and port 22

You can open the file comm.pcap using any network protocol analyzer tool to debug any potential issues.

15. tcpdump Filter Packets – Capture all the packets other than arp and rarp

In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.

$ tcpdump -i eth0 not arp and not rarp
20:33:15.479278 IP >  26929 1/0/0 (73)
20:33:15.479890 IP >  56556+ PTR? (45)
20:33:15.480197 IP > P 540:1504(964) ack 1 win 96
20:33:15.487118 IP > . ack 540 win 16486
20:33:15.668599 IP > igmp query v3 [max resp time 1s]

Using the LVM manager

LVM stands for Logical Volume Manager.

With LVM, we can create logical partitions that can span across one or more physical hard drives. First, the hard drives are divided into physical volumes, then those physical volumes are combined together to create the volume group and finally the logical volumes are created from volume group.

The LVM commands listed in this article are used under Ubuntu Distribution. But, it is the same for other Linux distributions.

Before we start, install the lvm2 package as shown below.

$ sudo apt-get intall lvm2

To create a LVM, we need to run through the following steps.

  • Select the physical storage devices for LVM
  • Create the Volume Group from Physical Volumes
  • Create Logical Volumes from Volume Group

Select the Physical Storage Devices for LVM – Use pvcreate, pvscan, pvdisplay Commands

In this step, we need to choose the physical volumes that will be used to create the LVM. We can create the physical volumes using pvcreate command as shown below.

$ sudo pvcreate /dev/sda6 /dev/sda7 
Physical volume "/dev/sda6" successfully created                                                 
Physical volume "/dev/sda7" successfully created 

As shown above two physical volumes are created – /dev/sda6 and /dev/sda7.

If the physical volumes are already created, you can view them using the pvscan command as shown below.

$ sudo pvscan                                                                   
  PV /dev/sda6                      lvm2 [1.86 GB]                                                 
  PV /dev/sda7                      lvm2 [1.86 GB]                                                 
  Total: 2 [3.72 GB] / in use: 0 [0   ] / in no VG: 2 [3.72 GB]      

You can view the list of physical volumes with attributes like size, physical extent size, total physical extent size, the free space, etc., using pvdisplay command as shown below.

$ sudo pvdisplay 
--- Physical volume --- 
  PV Name             /dev/sda6 
  VG Name             
  PV Size               1.86 GB / not usable 2.12 MB 
  Allocatable           yes 
  PE Size (KByte)    4096 
  Total PE              476 
  Free PE               456 
  Allocated PE          20 
  PV UUID               m67TXf-EY6w-6LuX-NNB6-kU4L-wnk8-NjjZfv 
  --- Physical volume --- 
  PV Name             /dev/sda7 
  VG Name             
  PV Size               1.86 GB / not usable 2.12 MB 
  Allocatable           yes 
  PE Size (KByte)    4096 
  Total PE              476 
  Free PE               476 
  Allocated PE          0 
  PV UUID               b031x0-6rej-BcBu-bE2C-eCXG-jObu-0Boo0x 

Note : PE – Physical Extents are nothing but equal-sized chunks. The default size of extent is 4MB.

Create the Volume Group – Use vgcreate, vgdisplay Commands

Volume groups are nothing but a pool of storage that consists of one or more physical volumes. Once you create the physical volume, you can create the volume group (VG) from these physical volumes (PV).

In this example, the volume group vol_grp1 is created from the two physical volumes as shown below.

$ sudo vgcreate vol_grp1 /dev/sda6 /dev/sda7                                  
  Volume  group "vol_grp1" successfully created          

LVM processes the storage in terms of extents. We can also change the extent size (from the default size 4MB) using -s flag.

vgdisplay command lists the created volume groups.

$ sudo vgdisplay 
  --- Volume group ---              
  VG Name                     vol_grp1  
  System ID                         
  Format                        lvm2        
  Metadata Areas            2           
  Metadata Sequence No  1           
  VG Access                   read/write  
  VG Status                    resizable   
  MAX LV                       0           
  Cur LV                        0           
  Open LV                      0           
  Max PV                       0           
  Cur PV                        2           
  Act PV                       2           
  VG Size                      3.72 GB     
  PE Size                      4.00 MB     
  Total PE                     952         
  Alloc PE / Size             0 / 0       
  Free  PE / Size            952 / 3.72 GB 
  VG UUID                     Kk1ufB-rT15-bSWe-5270-KDfZ-shUX-FUYBvR 

LVM Create: Create Logical Volumes – Use lvcreate, lvdisplay command

Now, everything is ready to create the logical volumes from the volume groups. lvcreate command creates the logical volume with the size of 80MB.

$ sudo lvcreate -l 20 -n logical_vol1 vol_grp1 
  Logical volume "logical_vol1" created      

Use lvdisplay command as shown below, to view the available logical volumes with its attributes.

$ sudo lvdisplay                                  
  --- Logical volume ---                                             
  LV Name                /dev/vol_grp1/logical_vol1              
  VG Name                vol_grp1                                  
  LV UUID                 ap8sZ2-WqE1-6401-Kupm-DbnO-2P7g-x1HwtQ      
  LV Write Access      read/write                                  
  LV Status              available                                   
  # open                  0                                           
  LV Size                  80.00 MB                                    
  Current LE              20                                          
  Segments               1                                           
  Allocation               inherit                                     
  Read ahead sectors  auto                                        
  - currently set to     256                                         
  Block device            252:0              

After creating the appropriate filesystem on the logical volumes, it becomes ready to use for the storage purpose.

$ sudo  mkfs.ext3 /dev/vol_grp1/logical_vol1 

LVM resize: Change the size of the logical volumes – Use lvextend Command

We can extend the size of the logical volumes after creating it by using lvextend utility as shown below. The changes the size of the logical volume from 80MB to 100MB.

$ sudo lvextend -L100 /dev/vol_grp1/logical_vol1 
  Extending logical volume logical_vol1 to 100.00 MB 
  Logical volume logical_vol1 successfully resized 

We can also add additional size to a specific logical volume as shown below.

$ sudo lvextend -L+100 /dev/vol_grp1/logical_vol1 
  Extending logical volume logical_vol1 to 200.00 MB 
  Logical volume logical_vol1 successfully resized

Installing MySQL from source

Most of the Linux distro comes with MySQL.  If you want use MySQL, my recommendation is that you download the latest version of MySQL and install it yourself. Later you can upgrade it to the latest version when it becomes available. In this article, I will explain how to install the latest free community edition of MySQL on Linux platform.

1. Download the latest stable relase of MySQL

Download mySQL from .  Please download the community edition of MySQL for your appropriate Linux platform. I downloaded the “Red Hat Enterprise Linux 5 RPM (x86)”. Make sure to download MySQL Server, Client and “Headers and libraries” from the download page.

  • MySQL-client-community-5.1.25-0.rhel5.i386.rpm
  • MySQL-server-community-5.1.25-0.rhel5.i386.rpm
  • MySQL-devel-community-5.1.25-0.rhel5.i386.rpm

2. Remove the existing default MySQL that came with the Linux distro

Do not perform this on an system where the MySQL database is getting used by some application.

[local-host]# rpm -qa | grep -i mysql

[local-host]# rpm -e mysql --nodeps
warning: /etc/my.cnf saved as /etc/my.cnf.rpmsave
[local-host]# rpm -e mysqlclient10

3. Install the downloaded MySQL package

Install the MySQL Server and Client packages as shown below.

[local-host]# rpm -ivh MySQL-server-community-5.1.25-0.rhel5.i386.rpm MySQL-client-community-5.1.25-0.rhel5.i386.rpm
Preparing...                ########################################### [100%]
1:MySQL-client-community ########################################### [ 50%]
2:MySQL-server-community ########################################### [100%]

This will also display the following output and start the MySQL daemon automatically.

To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h medica2 password 'new-password'

Alternatively you can run:
which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.
See the manual for more instructions.
Please report any problems with the /usr/bin/mysqlbug script!
The latest information about MySQL is available at
Support MySQL by buying support/licenses from

Starting MySQL.[  OK  ]
Giving mysqld 2 seconds to start

Install the “Header and Libraries” that are part of the MySQL-devel packages.

[local-host]# rpm -ivh MySQL-devel-community-5.1.25-0.rhel5.i386.rpm
Preparing...                ########################################### [100%]
1:MySQL-devel-community  ########################################### [100%]

Note: When I was compiling PHP with MySQL option from source on the Linux system, it failed with the following error. Installing the MySQL-devel-community package fixed this problem in installing PHP from source.

configure: error: Cannot find MySQL header files under yes.
Note that the MySQL client library is not bundled anymore!

4.  Perform post-install security activities on MySQL.

At a bare minimum you should set a password for the root user as shown below:

[local-user]# /usr/bin/mysqladmin -u root password 'My2Secure$Password'

The best option is to run the mysql_secure_installation script that will take care of all the typical security related items on the MySQL as shown below. On a high level this does the following items:

  • Change the root password
  • Remove the anonymous user
  • Disallow root login from remote machines
  • Remove the default sample test database
[local-host]# /usr/bin/mysql_secure_installation

In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!

5.  Verify the MySQL installation:

You can check the MySQL installed version by performing mysql -V as shown below:

[local-host]# mysql -V
mysql  Ver 14.14 Distrib 5.1.25-rc, for redhat-linux-gnu (i686) using readline 5.1

Connect to the MySQL database using the root user and make sure the connection is successfull.

[local-host]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.1.25-rc-community MySQL Community Server (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


Follows the steps below to stop and start MySQL

[local-host]# service mysql status
MySQL running (12588)                                      [  OK  ]
[local-host]# service mysql stop
Shutting down MySQL.                                       [  OK  ]
[local-host]# service mysql start
Starting MySQL.                                            [  OK  ]

