Capturing packets using tcpdump under linux

  • We all know that there is a powerful wireShark tool for capturing packets under windows system, and tcpdump can be used for capturing packets under Linux.

tcpdump command format

tcpdump option proto dir type

  • option: optional parameter
  • -w write data to file
  • -r read data from file
  • -A displays each data packet in ASCII code (no link layer header information is displayed) It is convenient to view data when grabbing data packets containing web page data
  • Protocol: proto.
  • tcp
  • udp
  • ether
  • wlan
  • ip
  • ip6
  • dir: direction.
  • src source address
  • dst destination address
  • Type: type.
  • Host host
  • net network
  • Port port
  • portrange port range

give an example

  • tcpdump host grabs all packets on this ip address
  • tcpdump src port 8088 grabs all packets on the source port number 8088
  • tcpdump portrange 8000-8080 grabs all packets in this port range
  • tcpdump tcp grabs all tcp packets

Introduction to tcpdump output

19:50:51.802675 IP ubuntu.53284 > Flags [P.], seq 1:7, ack 23, win 64218, length 6
  • 19: 50:51.802675 time
  • IP network protocol
  • ubuntu.53284 sender address and port number
  • receiver address and port number
  • Flags [P.] flags identifier. There are the following
  • [S] SYN (start connection)
  • [P] PSH (push data)
  • [F] FIN (end connection)
  • [R] RST (reset connection)
  • [.] no Flag (it means that in addition to the above four types, it may be ACK or URG)
  • seq serial number
  • ack confirmation number
  • Length data length

Analysis of tcp triple handshake using tcpdump packet capture

Command: tcpdump host

  • Grab all packets on this address first

Three handshakes

20:28:44.659214 IP ubuntu.53310 > Flags [S], seq 3892635409, win 64240, options [mss 1460,sackOK,TS val 3092868458 ecr 0,nop,wscale 7], length 0
20:28:44.686879 IP > ubuntu.53310: Flags [S.], seq 1283407174, ack 3892635410, win 64240, options [mss 1460], length 0
20:28:44.686916 IP ubuntu.53310 > Flags [.], ack 1, win 64240, length 0
  • It can be seen that the client first sends a SYN request, the server responds to an ACK + SYN, the client responds to an ACK, and shakes hands three times to establish a connection. (the point in flags here is ACK)

data transmission

  • The client sent a "hello" string
20:29:09.856194 IP ubuntu.53310 > Flags [P.], seq 1:7, ack 1, win 64240, length 6
20:29:09.856332 IP > ubuntu.53310: Flags [.], ack 7, win 64240, length 0
  • The flags flag bit is P, indicating data push.

Four waves

20:24:52.536351 IP ubuntu.53304 > Flags [F.], seq 1, ack 1, win 64240, length 0
20:24:52.536547 IP > ubuntu.53304: Flags [.], ack 2, win 64239, length 0
20:24:52.561859 IP > ubuntu.53304: Flags [FP.], seq 1, ack 2, win 64239, length 0
20:24:52.561889 IP ubuntu.53304 > Flags [.], ack 2, win 64240, length 0
  • The client initiates the disconnection request FIN, the server responds to the ACK, the server initiates the disconnection request FIN, and the client responds to the ACK. Complete four waves to disconnect.


  • The specific three handshakes, four waves and the data push process are not analyzed in detail here. In fact, they are similar to wireShark. Please refer to the detailed analysis in another article.
  • wireShark packet capture analysis tcp


  • If you find it inconvenient to analyze data under linux, we can save the captured data packet to a file
tcpdump -w tcpdata.pcap host 
  • Then put tcpdata When the PACAP file is transferred to the windows system, you can directly open it with wireShark for analysis.

reference resources

Tags: Linux network Network Protocol tcpdump

Posted by Flinch on Mon, 02 May 2022 22:13:12 +0300