Once tcpdump has been installed, we can start using it by simply running the command tcpdump:
- When we simply run tcpdump, it will start capturing all the packets sent or received on any interface.
- If we want to capture the packets that are only on a specific interface, we can do the same as shown in the following screenshot:
- The preceding command will capture all the packets received on the defined interface, until manually stopped. If we wish to capture a specific count of packets, we can do so by using the -c option, as follows:
- To display the captured packets in ASCII format, we can use the -A option:
- If we wish to list the number of available interfaces on the system, we can do the same using the -D option:
- If we use the -XX option while capturing the packets, tcpdump will capture the packet's link level header in HEX and ASCII format, as follows:
- We can save the captured packets in a file in .pcap format by using the -w option while executing tcpdump:
In the preceding command, we have the saved the data in the capture.pcap file.
- When we want to read and analyze the captured packet file, we use the command with the -r option, as follows:
- By default, tcpdump captures packets for all ports. If we want to capture packets for any specific port, for example, port 80, we can do so as follows:
