KB: 1069

---

How to capture packet and trace them through tcp dump utility?

The tcpdump utility is a powerful command-line tool for capturing and analyzing network traffic. It allows you to capture packets that pass through a network interface and provides detailed information about the network activity

Below is the example of command to run the tcp dump utility-

Command: -

tcpdump -i <interface> port <port> -w <filename>.pcap

For example:

tcpdump -i any port 443 host 10.0.0.1 -w dump.pcap`

Note

Before running this command, make sure the user has root access.

Below are the arguments that can be used based on the requirement-

Arguments: -

1. -i <interface>: Specifies the network interface to listen on.

2. host <hostname>: Captures packets to or from a specific IP.

3. port <port>: Captures packets to or from a specific port.

4. -w <file>: Writes the captured packets to a file instead of displaying them on the screen.

5. -A: Displays the packet contents in ASCII, which is useful for inspecting HTTP requests or other text-based protocols

6. -X: Displays the packet contents in both hex and ASCII.

7. -c: Specify the number of packets to capture before stopping

8. -r <filename>: Read and analyze packets from a previously saved capture file

9. src host <host>: Capture packets originating from a specific host

10. dst host <host>: Capture packets that are destined for a specific host

To analyze the decrypted content, you can use a tool like Wireshark. To decrypt encrypted traffic captured in a dump file using Wireshark, you need specific keys or passwords depending on the encryption protocol used (e.g., SSL/TLS). Below are the reference documents decrypting SSL/TLS traffic in Wireshark.

Reference 1: How to decrypt SSL/TLS traffic using Wireshark and private keys?

Reference 2: How to decrypt SSL/TLS using Wireshark and SSLKEYLOGFILE environment variable on Firefox or Google Chrome using Wireshark?