• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

tcpdump: command not found

by admin

The tcpdump utility allows you to capture packets that flow within your network to assist in network troubleshooting. The following are several examples of using tcpdump with different options. Traffic is captured based on a specified filter. A variety of options exist, including:

Options Description
-D Print a list of network interfaces.
-i Specify an interface on which to capture.
-c Specify the number of packets to receive.
-v, -vv, -vvv Increase the level of detail (verbosity).
-w Write captured data to a file.
-r Read captured data from a file.

Installing tcpdump utility

On most of the unix/linux systems you would not find the tcpdump package already installed. To install the latest version use the appropriate package manager on your system. For example, In case of CentOS/RHEL servers:

# yum install tcpdump

If you encounter the below error while running the tcpdump command:

tcpdump: command not found

you may try installing the below package as per your choice of distribution:

Distribution Command
OS X brew install tcpdump
Debian apt-get install tcpdump
Ubuntu apt-get install tcpdump
Alpine apk add tcpdump
Arch Linux pacman -S tcpdump
Kali Linux apt-get install tcpdump
CentOS yum install tcpdump
Fedora dnf install tcpdump
Raspbian apt-get install tcpdump

Examples of using tcpdump for network troubleshooting

1. Display list of network interfaces

To print a list of network interfaces available on which tcpdump can capture packets:

# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.any (Pseudo-device that captures on all interfaces)
5.lo [Loopback]

2. Capturing on a specific interface

As seen from the ‘tcpdump -D’ command, for each network interface, a number and an interface name is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture. For example, to capture the packets on the interface eth0:

# tcpdump -i 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:26:51.118038 IP ec2-54-159-106-120.compute-1.amazonaws.com.48021 > geeklab.31297: Flags [S], seq 3960153353, win 26883, options [mss 1460,sac
kOK,TS val 2229362922 ecr 0,nop,wscale 7], length 0
01:26:51.118072 IP geeklab.31297 > ec2-54-159-106-120.compute-1.amazonaws.com.48021: Flags [S.], seq 547340507, ack 3960153354, win 26847, optio
ns [mss 8961,sackOK,TS val 5714985 ecr 2229362922,nop,wscale 7], length 0

In this example, the output is continuous until terminated by pressing Ctrl + C.

3. Capture a specific number of packets only

To exit tcpdump after receiving a specific number of packets, use the -c (count) option followed by the number of packets to receive. The following example captures two packets:

# tcpdump -i 1 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:37:08.956549 IP 182.100.67.76.38819 > geeklab.ssh: Flags [P.], seq 542149092:542149176, ack 774431931, win 271, options [nop,nop,TS val 26493
51 ecr 6332468], length 84
01:37:08.956575 IP geeklab.ssh > 182.100.67.76.38819: Flags [.], ack 84, win 230, options [nop,nop,TS val 6332824 ecr 2649351], length 0
2 packets captured
6 packets received by filter
0 packets dropped by kernel

As shown in this example, when tcpdump finishes capturing packets, it reports the following:

  • packets captured: This is the number of packets that tcpdump has received and processed.
  • packets received by filter: A filter can be specified on the command line and only those packets that match the defined filter are processed by tcpdump and counted.
  • packets dropped by kernel: This is the number of packets that were dropped due to a lack of buffer space. Use the -B option to set the buffer size.

4. Increase the details (verbosity) of the output

To increase the detail (verbosity) of the output, use the -v option, or -vv for even more verbose output, or -vvv for the most verbose level of output:

# tcpdump –i 1 –v
# tcpdump –i 1 -vv
# tcpdump –i 1 –vvv

5. Capture the data to a file

Using the tcpdump utility with the -w option allows you to write captured data to a file. This allows the captured data to be read by other network analysis tools, such as Wireshark. The following example captures data to a file named capture.out:

# tcpdump –i 1 –v –c2 –w capture.out

6. reading captured data

You can also read captured data from a file by using the –r option:

# tcpdump –r capture_file

Filed Under: Linux

Some more articles you might also be interested in …

  1. CIFS Share Filesystem Is Not Mounted after Reboot on CentOS/RHEL 7
  2. apt: command not found
  3. Understanding Device Persistence and Oracle ASMLib
  4. chromium-browser: command not found
  5. How to Enable Debug Mode for Chronyd Service in CentOS/RHEL 8
  6. checkupdates: command not found
  7. grub-mkconfig Command Options
  8. How to remove the noatime mount option from root mount point without reboot (CentOS/RHEL)
  9. chkconfig: command not found
  10. daemon: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright